Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FlowbowAT
New Contributor

Fortigate NTP client not working

Hello everyone!

I am tasked with installing and configuring new Fortigates on school premises.

I installed four so far and every one of them has a different time. 

It seems the NTP Clients on all of them (Fortinet and custom servers) are not working. 

Rebooting them does not solve the issue.

 

I am rolling out Version 7.013, because it is the Mature one, but also observed it with Version 7.4.1.

I tried to switch around several paramaters for the custom server but without any success.

 

I am pasting the CLI NTP diagnose for your convenience.

 

Fortigate-GRG3RAD # diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled

ipv4 server(129.6.15.28) 129.6.15.28 -- reachable(0x80) S:5 T:8
no data

 

Fortigate-GRG3RAD # diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled

ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- reachable(0xfe) S:0 T:0
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- reachable(0xfe) S:0 T:0
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- reachable(0xfe) S:0 T:0
no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- reachable(0xfe) S:0 T:0
no data

 

My custom server config:

Fortigate-GRG3RAD # show full system ntp
config system ntp
set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "129.6.15.28"
set ntpv3 disable
set authentication disable
set interface-select-method auto #I tried interface-select-method SDWAN too
next
end
set source-ip 0.0.0.0
set source-ip6 ::
set server-mode disable
end

 

The sync errors are small right now, but will get larger without a working ntp client.

 

Please tell me how to solve this issue.

 

 

 

 

 

8 REPLIES 8
AEK
SuperUser
SuperUser

Hello

  • Try ping the NTP server from your FGT
  • Try ping the NTP server from a local host behind the firewall
  • Are you using SD-WAN?

 

AEK
AEK
FlowbowAT
New Contributor

All the servers are pingable from the Firewall and from a client behind it. They also show as "reachable" in the diagnose output.

hbac
Staff
Staff
mle2802
Staff
Staff
FlowbowAT
New Contributor

I configured the custom server, entered the static route to google ntp subnet and can ping each one of them successfully

 

I used the debug commands outlined in the articles:

 

2024-01-12 08:07:37 ntp_dns_cb:1980 in_flight=0 resolved=0 ipv6=1

2024-01-12 08:07:37 waiting for 0 seconds ...

2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.4


2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.12


2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.8


2024-01-12 08:07:37 DNS time.google.com -> 216.239.35.0


2024-01-12 08:07:37 ntp_dns_cb:1980 in_flight=0 resolved=0 ipv6=0

2024-01-12 08:07:37 waiting for 0 seconds ...

2024-01-12 08:07:37 sys_update_timer_func:1803 synchronized=0

2024-01-12 08:07:37 Sorted NTP endpoints.

2024-01-12 08:07:37 NTP daemon uses a upper end of -2000000000.000000 and a lower end of 2000000000.000000.

2024-01-12 08:07:37 no server suitable for synchronization found

 

Here is the process stack dump:

Fortigate-GRG3RAD # diagnose sys process pstack 245
Attaching to the target process...
Waiting for target process to stop...
Target process attached
FortiGate-100F v7.4.1,build2463b2463,230830 (GA.F) fortidev 6.0.1.0005
Register dump:
Pid: 245
R0: fffffffffffffffc R1: 0000000009a96a10 R2: 0000000000000400
R3: 00000000000016e4 R4: 0000000000000000 R5: 0000000000000008
R6: 00000000099fb000 R7: 0a0a2e2e2e207364 XR: 0000000000000016
R9: 0000007fcbb41b70 R10: 0000000000000035 R11: 0000007fcbb415e8
R12: 0000000000000001 R13: 000000000000000a R14: 0000000000000000
R15: 0000000000000000 IP0: 0000000004a8aa30 IP1: 0000007f9525a720
PR: 0000000000000008 R19: 0000000000000005 R20: 0000000000000000
R21: 00000000032fde80 R22: 0000007f93678710 R23: 000000000000000a
R24: 00000000099fb000 R25: 0000000000000001 R26: 0000000002e096d8
R27: 0000000002e096b0 R28: 0000000002e09688 FP: 0000007fcbb41ad0
LR: 0000000002bb2610 SP: 0000007fcbb41ad0 PC: 0000007f9525a51c
pstate: 60000000 (nZCv daif -PAN -UAO)

Call Trace:
[<0000007f9525a51c>] /lib/libc.so.6 (+000d251c)
[<0000000002bb2610>] /bin/init (+027b2610)
[<00000000013ec3c8>] /bin/init (+00fec3c8)
[<000000000044bf14>] /bin/init (+0004bf14)
[<0000000000451984>] /bin/init (+00051984)
[<0000000000452188>] /bin/init (+00052188)
[<0000000000454bd4>] /bin/init (+00054bd4)
[<00000000004556ac>] /bin/init (+000556ac)
[<0000007f951a8f24>] /lib/libc.so.6 (+00020f24)
[<0000000000447a40>] /bin/init (+00047a40)
[<0000000000447a40>] /bin/init (+00047a40)

Detaching from target...
Target detached

 

I cannot post the full dump without exceeding the character limit.

 

The command "diagnose firewall iprope list | grep -f 123 -B11 -A1" shows no output at all. 

 

Does this mean you must manually set up a policy to allow ntp ?

hbac

@FlowbowAT,

 

Are you using SDWAN? Can you try to specify the interface as follows:

 

config system ntp
config ntpserver
edit <>
set interface-select-method specify

set interface wan1
end
end

 

Regards, 

FlowbowAT
New Contributor

Hello, 

 

I tried to specify my outward facing wan1 interface

 

Fortigate-GRG3RAD (1) # show
config ntpserver
edit 1
set server "at.pool.ntp.org"
set interface-select-method specify
set interface "wan1"
next
end

 

Servers are reachable, but still "no Data" error

 

I will try upgrading the Firmware to 7.4.2, perhaps this will solve the Issue.

 

 

hbac

@FlowbowAT,

 

If the issue persists after the upgrade, you can run the debug again to see why it is failing. 

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors