Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rajamanickam
Contributor

NTP not syncing - Fortinet SDWAN

Hi,

 

  I am using our datacenter Fortigate as NTP server. From all the branches, could see NTP sync towards Datacenter. From DC, I am using Fortiguard as the NTP servers. My DNS reachability is fine. But still my NTP server is in unreachable state. I have created a firewall policy for this traffic, since my source interface of NTP  is a different interface which will be forward the traffic to the internet interface. (But not seeing hit in that policy) I understand NTP is a self-originating traffic. Initially for few seconds, could see NTP server as reachable but later went into unreachable status. It hasnt synched post that..

 

Not sure, what config I am missing.

 

diagnose sys ntp status
HA master: yes, HA master ip: 1.0.0.0, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- unreachable(0x0) S:7 T:699
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- unreachable(0x0) S:7 T:699
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- unreachable(0x0) S:7 T:699
no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- unreachable(0x0) S:7 T:699
no data

5 REPLIES 5
jintrah_FTNT
Staff
Staff

Dear Rajamanickam,

 

It appears that the current link through which NTP traffic is send does not succeed. You can try to force the traffic to FortiGuard NTP servers through other links and check the NTP status, https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/848980/local-out-traffic. 

 

Best regards,

Jin

aahmadzada
Staff
Staff

Hi,

Try to configure the interface-select-method parameter as sdwan so the sdwan policies will be respected fo the ntp traffic

https://docs.fortinet.com/document/fortigate/6.4.8/cli-reference/125620/config-system-ntp

rajamanickam
Contributor

When I point NTP to Fortiguard servers, I am not getting option to select SDWAN interface-select-method option. I could see that only when I create custom NTP servers.

 

Regards

Raja

vtsonev

Hello Raja,

 

When you use "set type fortiguard" in NTP settings, then it will use the configuration under "config system fortiguard". 

 

config system fortiguard
    set interface-select-method {auto|sdwan|specify}

 

Best regards,

Vasil

Fortinet Technical Team Lead
NSE 1-4,7 Certified
rajamanickam

Thanks Vasil, let me try this and update.