- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate NTP client not working
Hello everyone!
I am tasked with installing and configuring new Fortigates on school premises.
I installed four so far and every one of them has a different time.
It seems the NTP Clients on all of them (Fortinet and custom servers) are not working.
Rebooting them does not solve the issue.
I am rolling out Version 7.013, because it is the Mature one, but also observed it with Version 7.4.1.
I tried to switch around several paramaters for the custom server but without any success.
I am pasting the CLI NTP diagnose for your convenience.
Fortigate-GRG3RAD # diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled
ipv4 server(129.6.15.28) 129.6.15.28 -- reachable(0x80) S:5 T:8
no data
Fortigate-GRG3RAD # diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled
ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- reachable(0xfe) S:0 T:0
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- reachable(0xfe) S:0 T:0
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- reachable(0xfe) S:0 T:0
no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- reachable(0xfe) S:0 T:0
no data
My custom server config:
Fortigate-GRG3RAD # show full system ntp
config system ntp
set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "129.6.15.28"
set ntpv3 disable
set authentication disable
set interface-select-method auto #I tried interface-select-method SDWAN too
next
end
set source-ip 0.0.0.0
set source-ip6 ::
set server-mode disable
end
The sync errors are small right now, but will get larger without a working ntp client.
Please tell me how to solve this issue.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
- Try ping the NTP server from your FGT
- Try ping the NTP server from a local host behind the firewall
- Are you using SD-WAN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All the servers are pingable from the Firewall and from a client behind it. They also show as "reachable" in the diagnose output.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @FlowbowAT,
Please refer to this article to collect debugs: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshoot-NTP-synchronization-issue/ta-...
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @FlowbowAT,
In addition to Hong reply, please refer to this document https://community.fortinet.com/t5/FortiGate/Technical-Tip-An-alternate-way-to-sync-the-NTP-server-to...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I configured the custom server, entered the static route to google ntp subnet and can ping each one of them successfully
I used the debug commands outlined in the articles:
2024-01-12 08:07:37 ntp_dns_cb:1980 in_flight=0 resolved=0 ipv6=1
2024-01-12 08:07:37 waiting for 0 seconds ...
2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.4
2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.12
2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.8
2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.0
2024-01-12 08:07:37 ntp_dns_cb:1980 in_flight=0 resolved=0 ipv6=0
2024-01-12 08:07:37 waiting for 0 seconds ...
2024-01-12 08:07:37 sys_update_timer_func:1803 synchronized=0
2024-01-12 08:07:37 Sorted NTP endpoints.
2024-01-12 08:07:37 NTP daemon uses a upper end of -2000000000.000000 and a lower end of 2000000000.000000.
2024-01-12 08:07:37 no server suitable for synchronization found
Here is the process stack dump:
Fortigate-GRG3RAD # diagnose sys process pstack 245
Attaching to the target process...
Waiting for target process to stop...
Target process attached
FortiGate-100F v7.4.1,build2463b2463,230830 (GA.F) fortidev 6.0.1.0005
Register dump:
Pid: 245
R0: fffffffffffffffc R1: 0000000009a96a10 R2: 0000000000000400
R3: 00000000000016e4 R4: 0000000000000000 R5: 0000000000000008
R6: 00000000099fb000 R7: 0a0a2e2e2e207364 XR: 0000000000000016
R9: 0000007fcbb41b70 R10: 0000000000000035 R11: 0000007fcbb415e8
R12: 0000000000000001 R13: 000000000000000a R14: 0000000000000000
R15: 0000000000000000 IP0: 0000000004a8aa30 IP1: 0000007f9525a720
PR: 0000000000000008 R19: 0000000000000005 R20: 0000000000000000
R21: 00000000032fde80 R22: 0000007f93678710 R23: 000000000000000a
R24: 00000000099fb000 R25: 0000000000000001 R26: 0000000002e096d8
R27: 0000000002e096b0 R28: 0000000002e09688 FP: 0000007fcbb41ad0
LR: 0000000002bb2610 SP: 0000007fcbb41ad0 PC: 0000007f9525a51c
pstate: 60000000 (nZCv daif -PAN -UAO)
Call Trace:
[<0000007f9525a51c>] /lib/libc.so.6 (+000d251c)
[<0000000002bb2610>] /bin/init (+027b2610)
[<00000000013ec3c8>] /bin/init (+00fec3c8)
[<000000000044bf14>] /bin/init (+0004bf14)
[<0000000000451984>] /bin/init (+00051984)
[<0000000000452188>] /bin/init (+00052188)
[<0000000000454bd4>] /bin/init (+00054bd4)
[<00000000004556ac>] /bin/init (+000556ac)
[<0000007f951a8f24>] /lib/libc.so.6 (+00020f24)
[<0000000000447a40>] /bin/init (+00047a40)
[<0000000000447a40>] /bin/init (+00047a40)
Detaching from target...
Target detached
I cannot post the full dump without exceeding the character limit.
The command "diagnose firewall iprope list | grep -f 123 -B11 -A1" shows no output at all.
Does this mean you must manually set up a policy to allow ntp ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using SDWAN? Can you try to specify the interface as follows:
config system ntp
config ntpserver
edit <>
set interface-select-method specify
set interface wan1
end
end
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I tried to specify my outward facing wan1 interface
Fortigate-GRG3RAD (1) # show
config ntpserver
edit 1
set server "at.pool.ntp.org"
set interface-select-method specify
set interface "wan1"
next
end
Servers are reachable, but still "no Data" error
I will try upgrading the Firmware to 7.4.2, perhaps this will solve the Issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the issue persists after the upgrade, you can run the debug again to see why it is failing.
Regards,