Fortigate NTP client not working

FlowbowAT · ‎01-10-2024

Hello everyone!

I am tasked with installing and configuring new Fortigates on school premises.

I installed four so far and every one of them has a different time.

It seems the NTP Clients on all of them (Fortinet and custom servers) are not working.

Rebooting them does not solve the issue.

I am rolling out Version 7.013, because it is the Mature one, but also observed it with Version 7.4.1.

I tried to switch around several paramaters for the custom server but without any success.

I am pasting the CLI NTP diagnose for your convenience.

Fortigate-GRG3RAD # diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled

ipv4 server(129.6.15.28) 129.6.15.28 -- reachable(0x80) S:5 T:8
no data

Fortigate-GRG3RAD # diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled

ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- reachable(0xfe) S:0 T:0
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- reachable(0xfe) S:0 T:0
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- reachable(0xfe) S:0 T:0
no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- reachable(0xfe) S:0 T:0
no data

My custom server config:

Fortigate-GRG3RAD # show full system ntp
config system ntp
set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "129.6.15.28"
set ntpv3 disable
set authentication disable
set interface-select-method auto #I tried interface-select-method SDWAN too
next
end
set source-ip 0.0.0.0
set source-ip6 ::
set server-mode disable
end

The sync errors are small right now, but will get larger without a working ntp client.

Please tell me how to solve this issue.

AEK · ‎01-10-2024

Hello

Try ping the NTP server from your FGT
Try ping the NTP server from a local host behind the firewall
Are you using SD-WAN?

AEK

FlowbowAT · ‎01-10-2024

All the servers are pingable from the Firewall and from a client behind it. They also show as "reachable" in the diagnose output.

hbac · ‎01-10-2024

Hi @FlowbowAT,

Please refer to this article to collect debugs: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshoot-NTP-synchronization-issue/ta-...

Regards,

mle2802 · ‎01-10-2024

Hi @FlowbowAT,
In addition to Hong reply, please refer to this document https://community.fortinet.com/t5/FortiGate/Technical-Tip-An-alternate-way-to-sync-the-NTP-server-to...

FlowbowAT · ‎01-12-2024

I configured the custom server, entered the static route to google ntp subnet and can ping each one of them successfully

I used the debug commands outlined in the articles:

2024-01-12 08:07:37 ntp_dns_cb:1980 in_flight=0 resolved=0 ipv6=1

2024-01-12 08:07:37 waiting for 0 seconds ...

2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.4

2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.12

2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.8

2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.0

2024-01-12 08:07:37 ntp_dns_cb:1980 in_flight=0 resolved=0 ipv6=0

2024-01-12 08:07:37 waiting for 0 seconds ...

2024-01-12 08:07:37 sys_update_timer_func:1803 synchronized=0

2024-01-12 08:07:37 Sorted NTP endpoints.

2024-01-12 08:07:37 NTP daemon uses a upper end of -2000000000.000000 and a lower end of 2000000000.000000.

2024-01-12 08:07:37 no server suitable for synchronization found

Here is the process stack dump:

Fortigate-GRG3RAD # diagnose sys process pstack 245
Attaching to the target process...
Waiting for target process to stop...
Target process attached
FortiGate-100F v7.4.1,build2463b2463,230830 (GA.F) fortidev 6.0.1.0005
Register dump:
Pid: 245
R0: fffffffffffffffc R1: 0000000009a96a10 R2: 0000000000000400
R3: 00000000000016e4 R4: 0000000000000000 R5: 0000000000000008
R6: 00000000099fb000 R7: 0a0a2e2e2e207364 XR: 0000000000000016
R9: 0000007fcbb41b70 R10: 0000000000000035 R11: 0000007fcbb415e8
R12: 0000000000000001 R13: 000000000000000a R14: 0000000000000000
R15: 0000000000000000 IP0: 0000000004a8aa30 IP1: 0000007f9525a720
PR: 0000000000000008 R19: 0000000000000005 R20: 0000000000000000
R21: 00000000032fde80 R22: 0000007f93678710 R23: 000000000000000a
R24: 00000000099fb000 R25: 0000000000000001 R26: 0000000002e096d8
R27: 0000000002e096b0 R28: 0000000002e09688 FP: 0000007fcbb41ad0
LR: 0000000002bb2610 SP: 0000007fcbb41ad0 PC: 0000007f9525a51c
pstate: 60000000 (nZCv daif -PAN -UAO)

Call Trace:
[<0000007f9525a51c>] /lib/libc.so.6 (+000d251c)
[<0000000002bb2610>] /bin/init (+027b2610)
[<00000000013ec3c8>] /bin/init (+00fec3c8)
[<000000000044bf14>] /bin/init (+0004bf14)
[<0000000000451984>] /bin/init (+00051984)
[<0000000000452188>] /bin/init (+00052188)
[<0000000000454bd4>] /bin/init (+00054bd4)
[<00000000004556ac>] /bin/init (+000556ac)
[<0000007f951a8f24>] /lib/libc.so.6 (+00020f24)
[<0000000000447a40>] /bin/init (+00047a40)
[<0000000000447a40>] /bin/init (+00047a40)

Detaching from target...
Target detached

I cannot post the full dump without exceeding the character limit.

The command "diagnose firewall iprope list | grep -f 123 -B11 -A1" shows no output at all.

Does this mean you must manually set up a policy to allow ntp ?

hbac · ‎01-12-2024

@FlowbowAT,

Are you using SDWAN? Can you try to specify the interface as follows:

config system ntp
config ntpserver
edit <>
set interface-select-method specify

set interface wan1
end
end

Regards,

FlowbowAT · ‎01-15-2024

Hello,

I tried to specify my outward facing wan1 interface

Fortigate-GRG3RAD (1) # show
config ntpserver
edit 1
set server "at.pool.ntp.org"
set interface-select-method specify
set interface "wan1"
next
end

Servers are reachable, but still "no Data" error

I will try upgrading the Firmware to 7.4.2, perhaps this will solve the Issue.

hbac · ‎01-15-2024

@FlowbowAT,

If the issue persists after the upgrade, you can run the debug again to see why it is failing.

Regards,