centos 7 NTP configuration

Question

I am trying to configure ntp.conf with a stratum 1 server and also a peer VM on the same network. Config file is attached below. The problem is server with the IP address 10.6.11.171 does not seem to reach : 10.6.11.170. All firewall rules are in place. They can communicate to: 10.250.156.254. Any ideas?

Config file is as:

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default nomodify notrap  noquery
restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 10.250.156.254 iburst prefer
peer 10.6.11.170 iburst
#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1      # multicast client
#manycastserver 239.255.254.254     # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

Please add the output of `ntpq -npcrv` after `ntpd` has been running for a few minutes. — Paul Gear, Aug 10 '19 at 00:20
Hi,thanks for the response:Please see below: [root@PNL0000VSPR3840 ~]# ntpq -pncrv remote refid st t when poll reach delay offset jitter ============================================================================== 10.250.156.254 .GNSS. 1 u 19 64 377 11269.1 -7533.1 349.462 10.7.11.170 10.250.156.254 2 u 130 1024 0 0.000 0.000 0.000 10.6.11.170 10.250.156.254 2 u 902 64 0 0.000 0.000 0.000 associd=0 status=c018 leap_alarm, sync_unspec, 1 event, no_sys_peer, — Mus, Aug 14 '19 at 12:50
version="ntpd 4.2.6p5@1.2349-o Fri Apr 13 12:52:27 UTC 2018 (1)", processor="x86_64", system="Linux/3.10.0-957.27.2.el7.x86_64", leap=11, stratum=2, precision=-25, rootdelay=1548.115, rootdisp=1351.669, refid=10.250.156.254, reftime=e0fe49a1.72bdebd4 Wed, Aug 14 2019 9:49:37.448, clock=e0fe8148.83e7f372 Wed, Aug 14 2019 13:47:04.515, peer=0, tc=6, mintc=3, offset=0.000, frequency=116.545, sys_jitter=184.729, clk_jitter=0.000, clk_wander=17.769 — Mus, Aug 14 '19 at 12:50
For future viewers, please move the comments above to a correctly-formatted section in the question. — Paul Gear, Aug 15 '19 at 00:19

score 0 · Answer 1 · answered Aug 15 '19 at 00:25

You have 3 time sources:

10.250.156.254 is a stratum 1 source which is reachable, but your system has a large offset from it (-7.5331 seconds)
10.7.11.170 and 10.6.11.170 are stratum 2 sources syncing from 10.250.156.254, and are both unreachable.

Check your firewalls and access restrictions on 10.250.156.25. If ntpdate -d 10.250.156.25 shows responses coming in, you likely have firewall which allows NTP packets coming from high ports, but not from port 123.

centos 7 NTP configuration

1 Answers1