Created on
08-28-2012
09:00 AM
Edited on
03-25-2022
10:37 AM
By
rrajaibrahim
Purpose
Scope
FortiOS 4.3 and FortiOS 5.0
Diagram
[NTP server]10.120.0.21-----------------10.120.0.125[FortiGate]
Expectations, Requirements
FortiGate clock synchronized with an NTP server using MD5 authentication.
Configuration
config system ntp set ntpsync enable set syncinterval 60 set source-ip 10.120.0.125 config ntpserver edit 1 set ntpv3 enable set authentication enable set key fortinetsecret set key-id 234 set server 10.120.0.21 next end end |
Verification
FGT50B-5 # diag sys ntp status server( 10.120.0.21 ) 10.120.0.21 -- Clock is synchronized server-version=3, stratum=3 reference time is d3e7456b.38a02087 -- UTC Tue Aug 28 13:26:03 2012 clock offset is 0.193389 sec, root delay is 1578 msec root dispersion is 4746 msec, peer dispersion is 2 msec |
Troubleshooting
NTP use UDP protocol (17), and port 123 to communicate between the client and the servers.
FGT50B-5 # diagnose sniffer packet any 'port 123' 4 0 a
interfaces=[any] filters=[port 123]
2012-08-27 15:34:28.782291 VLAN120 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.782308 internal out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.782319 eth0 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.782758 VLAN120 in 10.120.0.21.123 -> 10.120.0.125.123: udp 48 2012-08-27 15:34:28.783306 VLAN120 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.783317 internal out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.783325 eth0 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.783732 VLAN120 in 10.120.0.21.123 -> 10.120.0.125.123: udp 48 2012-08-27 15:34:28.784414 VLAN120 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.784425 internal out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.784433 eth0 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.784841 VLAN120 in 10.120.0.21.123 -> 10.120.0.125.123: udp 48 2012-08-27 15:34:28.785351 VLAN120 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.785363 internal out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.785371 eth0 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48 2012-08-27 15:34:28.785778 VLAN120 in 10.120.0.21.123 -> 10.120.0.125.123: udp 48
#diag debug application ntpd -1
#diag debug enable
FGT50B-5 # 2012-08-27 17:32:34 Start updating the system time ...
2012-08-27 17:32:34 add server 1: server 10.120.0.21
2012-08-27 17:32:34 transmit(10.120.0.21)
2012-08-27 17:32:34 transmit to 10.120.0.21
2012-08-27 17:32:34 receive(10.120.0.21)
2012-08-27 17:32:34 transmit(10.120.0.21)
2012-08-27 17:32:34 transmit to 10.120.0.21
2012-08-27 17:32:34 receive(10.120.0.21)
2012-08-27 17:32:34 transmit(10.120.0.21)
2012-08-27 17:32:34 transmit to 10.120.0.21
2012-08-27 17:32:34 receive(10.120.0.21)
2012-08-27 17:32:34 transmit(10.120.0.21)
2012-08-27 17:32:34 transmit to 10.120.0.21
2012-08-27 17:32:34 receive(10.120.0.21)
2012-08-27 17:32:34 transmit(10.120.0.21)
2012-08-27 17:32:34 Adjust current time second=0, usec=2894
2012-08-27 17:32:34 waiting for 60 seconds ...
2012-08-27 17:07:35 waiting for 60 seconds ...
2012-08-27 17:08:35 Start updating the system time ...
2012-08-27 17:08:35 add server 1: server 10.120.0.21
2012-08-27 17:08:36 transmit(10.120.0.21)
2012-08-27 17:08:36 transmit to 10.120.0.21 with MD5 authentication
2012-08-27 17:08:36 transmit to 10.120.0.21
2012-08-27 17:08:36 receive(10.120.0.21)
2012-08-27 17:08:36 receive: authentication passed
2012-08-27 17:08:36 transmit(10.120.0.21)
2012-08-27 17:08:36 transmit to 10.120.0.21 with MD5 authentication
2012-08-27 17:08:36 transmit to 10.120.0.21
2012-08-27 17:08:36 receive(10.120.0.21)
2012-08-27 17:08:36 receive: authentication passed
2012-08-27 17:08:36 transmit(10.120.0.21)
2012-08-27 17:08:36 transmit to 10.120.0.21 with MD5 authentication
2012-08-27 17:08:36 transmit to 10.120.0.21
2012-08-27 17:08:36 receive(10.120.0.21)
2012-08-27 17:08:36 receive: authentication passed
2012-08-27 17:08:36 transmit(10.120.0.21)
2012-08-27 17:08:36 transmit to 10.120.0.21 with MD5 authentication
2012-08-27 17:08:36 transmit to 10.120.0.21
2012-08-27 17:08:36 receive(10.120.0.21)
2012-08-27 17:08:36 receive: authentication passed
2012-08-27 17:08:36 transmit(10.120.0.21)
2012-08-27 17:08:36 Adjust current time second=0, usec=5310
2012-08-27 17:08:36 waiting for 60 seconds ...
2012-08-27 17:20:51 add server 1: server 10.120.0.21
2012-08-27 17:20:51 transmit(10.120.0.21)
2012-08-27 17:20:51 transmit to 10.120.0.21 with MD5 authentication
2012-08-27 17:20:51 transmit to 10.120.0.21
2012-08-27 17:20:51 receive(10.120.0.21)
2012-08-27 17:20:51 receive: authentication failed
2012-08-27 17:20:51 transmit(10.120.0.21)
2012-08-27 17:20:51 transmit to 10.120.0.21 with MD5 authentication
2012-08-27 17:20:51 transmit to 10.120.0.21
2012-08-27 17:20:51 receive(10.120.0.21)
2012-08-27 17:20:51 receive: authentication failed
2012-08-27 17:20:51 transmit(10.120.0.21)
2012-08-27 17:20:51 transmit to 10.120.0.21 with MD5 authentication
2012-08-27 17:20:51 transmit to 10.120.0.21
2012-08-27 17:20:51 receive(10.120.0.21)
2012-08-27 17:20:51 receive: authentication failed
2012-08-27 17:20:51 transmit(10.120.0.21)
2012-08-27 17:20:51 transmit to 10.120.0.21 with MD5 authentication
2012-08-27 17:20:51 transmit to 10.120.0.21
2012-08-27 17:20:51 receive(10.120.0.21)
2012-08-27 17:20:51 receive: authentication failed
2012-08-27 17:20:51 transmit(10.120.0.21)
2012-08-27 17:20:51 no server suitable for synchronization found
2012-08-27 17:20:51
2012-08-27 17:20:51 waiting for 60 seconds ...
Client Request:
Server response: