Description

This article describes an alternate way to sync the NTP server to a Google one, in order to avoid FortiGate time being out of sync error messages.

Scope

FortiGate.

Solution

• Troubleshooting steps:

1. Verify the NTP status by running the command:

diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled

ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- unreachable(0x0) S:7 T:615  no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- unreachable(0x0) S:7 T:927  no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- unreachable(0x0) S:7 T:777  no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- unreachable(0x0) S:7 T:105  no data

It is shown that the NTP server is not synced with the FortiGuard default NTP servers.

2. Let's review the debug logging at the application layer:

    

   diagnose debug reset
   diagnose debug console timestamp enable
   diagnose debug application ntpd -1
   diagnose debug enable

    

• Output:

2023-07-31 12:56:18 sys_update_timer_func:1803 synchronized=0
2023-07-31 12:56:18 Sorted NTP endpoints.
2023-07-31 12:56:18 NTP daemon uses a upper end of -2000000000.000000 and a lower end of 2000000000.000000.
2023-07-31 12:56:18 no server suitable for synchronization found
2023-07-31 12:56:18 waiting for 10 seconds ...
2023-07-31 12:56:28 sys_update_timer_func:1803 synchronized=0
2023-07-31 12:56:28 Sorted NTP endpoints.
2023-07-31 12:56:28 NTP daemon uses a upper end of -2000000000.000000 and a lower end of 2000000000.000000.
2023-07-31 12:56:28 no server suitable for synchronization found
2023-07-31 12:56:28 waiting for 10 seconds ...

On the outputs, it is shown the error message 'no server suitable for synchronization found'.

• Solution procedure:

3. Change the NTP configuration to set a custom type and add the Google NTP server:

    

   config system ntp
       set type custom
           config ntpserver
               edit 1
                   set server time.google.com
               next
   end

    

    

4. Configure a static route to reach the NTP Google segment 216.239.35.0/24 to the desired WAN interface:

    

   config router static
       edit <Available_ID>
           set dst 216.239.35.0 255.255.255.0

           set gateway X.X.X.X <- Change the IP address of the gateway of the proper WAN interface.
           set device "wan1" <- Change for the proper WAN interface.
   end

    

5. After applying the recommended configuration, the NTP service is now synced:

    

   diagnose sys ntp status
   synchronized: yes, ntpsync: enabled, server-mode: disabled

   ipv6 server(time.google.com) 2001:4860:4806:4:: -- reachable(0xfe) S:0 T:212 no data
   ipv6 server(time.google.com) 2001:4860:4806:c:: -- reachable(0xfe) S:0 T:212 no data
   ipv6 server(time.google.com) 2001:4860:4806:8:: -- reachable(0xfe) S:0 T:212 no data
   ipv4 server(time.google.com) 216.239.35.12 -- reachable(0xfe) S:0 T:212 no data
   ipv4 server(time.google.com) 216.239.35.8 -- reachable(0xff) S:1 T:212 selected
   server-version=4, stratum=1
   reference time is e872a60e.36fc711c -- UTC Mon Jul 31 21:28:46 2023
   clock offset is 3653.056885 sec, root delay is 0.000000 sec
   root dispersion is 0.000076 sec, peer dispersion is 28 msec