Hi, Guys,
I am using Fortigate 400E HA with FortiOS V7.0.3 and some SDWAN configurations; but found the local NTP servers do not work for LANs, as the following:
Forti400e_01 # config system dns
Forti400e_01 (dns) # show
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
Forti400e_01 (dns) # end
Forti400e_01 # diag sys ntp status
HA primary: yes, HA primary ip: 1.0.0.0, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: yes, ntpsync: enabled, server-mode: enabled
ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- reachable(0xc1) S:2 T:97
server-version=4, stratum=2
reference time is e6a5da97.d048a955 -- UTC Tue Aug 16 08:57:59 2022
clock offset is -0.000284 sec, root delay is 0.127930 sec
root dispersion is 0.011673 sec, peer dispersion is 524290 msec
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- reachable(0x80) S:2 T:106
server-version=4, stratum=2
reference time is e6a5da97.d048a955 -- UTC Tue Aug 16 08:57:59 2022
clock offset is 0.004056 sec, root delay is 0.127930 sec
root dispersion is 0.011383 sec, peer dispersion is 524289 msec
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- reachable(0x80) S:2 T:106
no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- reachable(0x84) S:0 T:109 selected
server-version=4, stratum=2
reference time is e6a5da97.d048a955 -- UTC Tue Aug 16 08:57:59 2022
clock offset is -0.004134 sec, root delay is 0.127930 sec
root dispersion is 0.011551 sec, peer dispersion is 3670016 msec
Forti400e_01 # config sys ntp
Forti400e_01 (ntp) # show
config system ntp
set ntpsync enable
set syncinterval 10
set server-mode enable
set interface "VLAN329" "Pad WiFi" "VLAN323" "VLAN324"
end
Forti400e_01 (ntp) # end
Forti400e_01 # diag debug application ntpd -1
Debug messages will be on for 23 minutes.
Forti400e_01 # diag debug en
Forti400e_01 # name=ntp1.fortiguard.com, id=6432, cb=0x107b3e0
name=ntp2.fortiguard.com, id=6001, cb=0x107b3e0
waiting for 10 seconds ...
DNS ntp1.fortiguard.com -> 208.91.112.63
DNS ntp1.fortiguard.com -> 208.91.112.61
ntp_dns_cb:1921 in_flight=0 resolved=0 ipv6=0
waiting for 10 seconds ...
DNS ntp2.fortiguard.com -> 208.91.112.62
DNS ntp2.fortiguard.com -> 208.91.112.60
ntp_dns_cb:1921 in_flight=0 resolved=0 ipv6=0
waiting for 10 seconds ...
receive(10.32.9.253)
handle_client_message:951 from 10.32.9.253 vfid=0
Reply to 10.32.9.253.
waiting for 9 seconds ...
receive(10.32.9.11)
handle_client_message:951 from 10.32.9.11 vfid=0
Reply to 10.32.9.11.
waiting for 2 seconds ...
server_timer_func:2005 domain=ntp2.fortiguard.com in_flight=0 resolved=1 ipv6=0
Checked from Switch:
================
Switch#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0073 Hz, precision is 2**10
ntp uptime is 1744133704 (1/100 of seconds), resolution is 4000
reference time is E6A6B152.87AE15F0 (20:14:10.530 EST Tue Aug 16 2022)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.25 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000029352 s/s
system poll interval is 64, last update was 6273 sec ago.
Switch#show ntp associations
address ref clock st when poll reach delay offset disp
~10.32.9.254 .INIT. 16 0 64 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
Switch#
Problem:
DNS works, External NTP works; But local NTP server for LAN does not work; for example:
LAN client 10.32.9.253 can not sync with the Local Fortigate Server/10.32.9.254.
Any recommendation/advice ?
Many thanks
Benson LEI
Solved! Go to Solution.
The correct solution:
Hi, guys,
further checking of the Fortigate 400E HA status, something found as below:
Forti400e_01 # diag sys smc-ntp
status List SMC NTP setting.
Forti400e_01 # diag sys smc-ntp status
SMC NTP status: 0
Channel: 0
Link status: 0
Current NTP server IP address: 0.0.0.0
Timezone: 0
NTP poll interval: 0
NTP server 1 IP address: 0.0.0.0
NTP server 2 IP address: 0.0.0.0
After adding the default NTP servers, the "show" is same result:
Forti400e_01 (smc-ntp) # show
config system smc-ntp
set ntpsync enable
config ntpserver
edit 1
set server 208.91.112.51
next
edit 2
set server 208.91.113.70
next
end
end
Forti400e_01 (smc-ntp) # get
ntpsync : enable
syncinterval : 60
channel : 5
ntpserver:
== [ 1 ]
id: 1
== [ 2 ]
id: 2
Forti400e_01 (smc-ntp) #
Forti400e_01 # diag sys smc-ntp status
SMC NTP status: 0
Channel: 0
Link status: 0
Current NTP server IP address: 0.0.0.0
Timezone: 0
NTP poll interval: 0
NTP server 1 IP address: 0.0.0.0
NTP server 2 IP address: 0.0.0.0
NTP server 3 IP address: 0.0.0.0
NTP server 4 IP address: 0.0.0.0
NTP server 5 IP address: 0.0.0.0
Forti400e_01 #
Any suggestion or recommendation, thx ?
It is wired, when the local NTP server for only one interface, the local NTP server works;
After that, the local NTP server for many interfaces also work.
I am still finding out the issue.............
Anyway, the Fortigate local NTP server works, as the following test:
===================Switch ===================================================
Switch#sh ntp status
Clock is synchronized, stratum 2, reference is 10.32.9.254
nominal freq is 250.0000 Hz, actual freq is 250.0070 Hz, precision is 2**10
ntp uptime is 1746145304 (1/100 of seconds), resolution is 4000
reference time is E6A71808.876C8CB8 (03:32:24.529 EST Wed Aug 17 2022)
clock offset is 28.1929 msec, root delay is 3.91 msec
root dispersion is 72.40 msec, peer dispersion is 17.61 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000027943 s/s
system poll interval is 256, last update was 94 sec ago.
Switch#sh clock
03:34:09.100 EST Wed Aug 17 2022
Switch#sh clock
03:34:14.848 EST Wed Aug 17 2022
Switch#sh ntp status
Clock is synchronized, stratum 2, reference is 10.32.9.254
nominal freq is 250.0000 Hz, actual freq is 250.0070 Hz, precision is 2**10
ntp uptime is 1746147104 (1/100 of seconds), resolution is 4000
reference time is E6A71808.876C8CB8 (03:32:24.529 EST Wed Aug 17 2022)
clock offset is 28.1929 msec, root delay is 3.91 msec
root dispersion is 72.67 msec, peer dispersion is 17.61 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000027943 s/s
system poll interval is 256, last update was 112 sec ago.
Switch#
==========================================================================================
Forti400e_01 # exec time
current time is: 03:31:59
last ntp sync:Wed Aug 17 02:51:27 2022
Forti400e_01 # get sys ntp
ntpsync : enable
type : custom
syncinterval : 15
ntpserver:
== [ 1 ]
id: 1
== [ 2 ]
id: 2
== [ 3 ]
id: 3
== [ 4 ]
id: 4
== [ 5 ]
id: 5
source-ip : 0.0.0.0
source-ip6 : ::
server-mode : enable
authentication : disable
interface : "VLAN329" "VLAN323" "VLAN324" "Pad WiFi"
Forti400e_01 # show sys ntp
config system ntp
set ntpsync enable
set type custom
set syncinterval 15
config ntpserver
edit 1
set server "0.pool.ntp.org"
next
edit 2
set server "2.pool.ntp.org"
next
edit 3
set server "3.pool.ntp.org"
next
edit 4
set server "4.pool.ntp.org"
next
edit 5
set server "1.pool.ntp.org"
next
end
set server-mode enable
set interface "VLAN329" "VLAN323" "VLAN324" "Pad WiFi"
end
Forti400e_01 # diag sys ntp status
HA primary: yes, HA primary ip: 1.0.0.0, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled
ipv4 server(1.pool.ntp.org) 45.55.58.103 -- reachable(0x80) S:5 T:5
no data
ipv4 server(1.pool.ntp.org) 69.164.198.192 -- reachable(0x80) S:5 T:5
no data
ipv4 server(1.pool.ntp.org) 208.67.75.242 -- reachable(0x80) S:5 T:5
no data
ipv6 server(1.pool.ntp.org) unresolved -- unreachable(0xff) S:0 T:0
no data
ipv4 server(1.pool.ntp.org) 129.153.205.81 -- reachable(0x80) S:5 T:5
no data
ipv6 server(2.pool.ntp.org) 2604:a880:4:1d0::4a5:8000 -- unreachable(0x0) S:6 T:1
no data
ipv6 server(2.pool.ntp.org) 2620:46:8000:128::112 -- unreachable(0x0) S:6 T:1
no data
ipv6 server(2.pool.ntp.org) 2001:470:1f06:56f::2 -- unreachable(0x0) S:6 T:1
no data
ipv4 server(3.pool.ntp.org) 108.61.73.244 -- unreachable(0x0) S:6 T:1
no data
ipv4 server(3.pool.ntp.org) 174.136.99.6 -- unreachable(0x0) S:6 T:1
no data
ipv4 server(3.pool.ntp.org) 104.194.8.227 -- unreachable(0x0) S:6 T:1
no data
ipv4 server(2.pool.ntp.org) 204.2.134.162 -- unreachable(0x0) S:6 T:1
no data
ipv4 server(2.pool.ntp.org) 38.229.56.9 -- unreachable(0x0) S:6 T:1
no data
ipv4 server(0.pool.ntp.org) 104.171.113.34 -- reachable(0x80) S:5 T:6
no data
ipv4 server(0.pool.ntp.org) 38.229.59.9 -- reachable(0x80) S:5 T:6
no data
ipv4 server(3.pool.ntp.org) unresolved -- unreachable(0xff) S:0 T:2
no data
ipv6 server(4.pool.ntp.org) unresolved -- unreachable(0xff) S:0 T:0
no data
ipv4 server(4.pool.ntp.org) unresolved -- unreachable(0xff) S:0 T:0
no data
ipv6 server(3.pool.ntp.org) unresolved -- unreachable(0xff) S:0 T:0
no data
ipv4 server(3.pool.ntp.org) 158.101.13.142 -- unreachable(0x0) S:6 T:1
no data
ipv6 server(2.pool.ntp.org) 2001:19f0:200:144b::1000 -- unreachable(0x0) S:6 T:1
no data
ipv4 server(2.pool.ntp.org) 137.190.2.4 -- unreachable(0x0) S:6 T:1
no data
ipv6 server(0.pool.ntp.org) unresolved -- unreachable(0xff) S:0 T:0
no data
ipv4 server(0.pool.ntp.org) 198.211.103.209 -- reachable(0x80) S:5 T:6
no data
Forti400e_01 #
The correct solution:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.