Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aboodnet
New Contributor II

NTP not working

Dear, 

 

We want to use Fortigate NTP as the source to synchronize time in our environment. The configuration seems very simple but unfortunately it is not working. Please find the configuration below...

 

ROM-FG-80E # show system ntp config system ntp set ntpsync enable set syncinterval 2 set source-ip 192.168.2.254         (LAN interface) set server-mode enable set interface "dmz" "lan" end

 

ROM-FG-80E # diag sys ntp status synchronized: no, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp2.fortiguard.com) 208.91.112.51 -- unreachable(0x0) S:7 T:8 no data ipv4 server(ntp1.fortiguard.com) 208.91.112.50 -- unreachable(0x0) S:7 T:8 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 -- unreachable(0x0) S:7 T:8 no data ipv4 server(ntp1.fortiguard.com) 208.91.113.70 -- unreachable(0x0) S:7 T:8 no data

 

 

ROM-FG-80E # execute ping ntp2.fortiguard.com PING ntp2.fortinet.net (208.91.112.51): 56 data bytes 64 bytes from 208.91.112.51: icmp_seq=0 ttl=48 time=239.8 ms 64 bytes from 208.91.112.51: icmp_seq=1 ttl=48 time=238.7 ms 64 bytes from 208.91.112.51: icmp_seq=2 ttl=48 time=238.6 ms 64 bytes from 208.91.112.51: icmp_seq=3 ttl=48 time=239.9 ms 64 bytes from 208.91.112.51: icmp_seq=4 ttl=48 time=238.6 ms

 

 

Any ideas on how to troubleshoot this?

 

Thanks in advace,

17 REPLIES 17
ede_pfau
Esteemed Contributor III

Could you sniff the traffic to a known NTP server? Like

di de en

di sniff packet wan1 'port 123 and host 192.53.103.104' 4 0 l ("ell")

 

This will only show the sync traffic, no pings.

 

Your problem is strange, in that NTP is almost always working immediately. I've seen on one occasion that the NTP server responded with "Too many connections", as a huge network was accessing it through the same, single public address via NAT. This can be avoided by directing clients to the FGT, and only the FGT querying the NTP server.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

Have you tried different NTP servers? i.e. pool.ntp.org.

 

https://www.ntppool.org/en/

 

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ion_esecurity

In my case I was missing a policy to allow NTP outbound. The DIAG SYS NTP STATUS then showed reachable.

Ssh1

Any updates on this issue? We have a few ntp servers in our environment and our 2 a-a FGT 300e clusters dont sync the time. But other devices do the sync.
ede_pfau
Esteemed Contributor III

When I hit this problem the last time it was due to the source IP the FGT had picked. You can force a viable address in 'conf sys ntp' using 'set source-ip x.x.x.x'. Try that and observe if the NTP source appears to be 'reachable'.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Ssh1
New Contributor

I've already tried that, but it doesn't work. In sniffer result i dont see any traffic to my ntp, but 'diag debug application ntpd' gives to me 'trying to sync'.
darsh23
New Contributor

Have you configured "set ha-direct enable" in HA settings, enable this it should work.

 

Thanks, Darshan Shettar

DCX_Dezso
New Contributor II

I know I'm resurrecting an old thread here, but I hope someone sees this. This worked for me, and the time was off by only 4min. It also stopped me from connecting to FortiGuard.

Dezso Schaap
Dezso Schaap
Labels
Top Kudoed Authors