Hi,
since updating from 23.7 to 23.7.1, something regarding the ntpd seems to have changed. I now get the ntpd.log flooded with
...
Soliciting pool server 213.209.109.44
Soliciting pool server 2a01:238:4204:fc00:4b47:ee22:4277:df4e
Soliciting pool server 46.4.54.78
Soliciting pool server 2a01:238:4200:a000:8f15:af83:9bee:b97d
Soliciting pool server 185.232.69.65
Soliciting pool server 193.175.73.20
Soliciting pool server 162.159.200.123
Soliciting pool server 2a01:238:43f2:8900:dd04:e3a0:ee11:a73d
Soliciting pool server 162.159.200.123
Soliciting pool server 144.76.159.151
Soliciting pool server 159.69.69.50
Soliciting pool server 80.151.186.5
Soliciting pool server 85.25.148.4
Soliciting pool server 131.188.3.220
Soliciting pool server 195.201.20.16
Soliciting pool server 173.249.33.207
Soliciting pool server 213.209.109.45
Soliciting pool server 192.171.1.150
Soliciting pool server 87.106.180.117
...
for the default
# Upstream Servers
pool 0.opnsense.pool.ntp.org maxpoll 9 prefer
pool 1.opnsense.pool.ntp.org maxpoll 9
pool 2.opnsense.pool.ntp.org maxpoll 9
pool 3.opnsense.pool.ntp.org maxpoll 9
configuration.
Previously, ntpd was identifying itself as
ntpd 4.2.8p17@1.4004-o Fri Jul 28 02:13:36 UTC 2023
Now it is
ntpd 4.2.8p17@1.4004-o Tue Aug 8 02:15:10 UTC 2023
Any ideas?
EDIT: I reverted back to 23.7 and the problem vanished again, so it's definitely related to the 23.7.1 update.
Also seeing this as well. It doesn't appear to be syncing with the configured servers in the Web UI. I can manually force a sync with "ntpdate -u server.name" on some of the servers, some still won't sync when they could before.
The status is unreach/pending for all my configured NTP servers.
There's no issue here other than a more chatty log.
23.7.1 is a security update first and foremost, and has important fixes as well.
Reverting to 23.7 is ill-advised.
For me its failing to sync time when before it was working. I think 23.7.1 broke something with NTP.
I can also watch the live firewall view, filter destination ports by '123' and see a constant spamming of all my NTP servers over and over but their status is all 'unreach/pending' when I check the NTP service on OPNsense.
Also for extra info, I was able to duplicate the same issue in my LAB. A 23.7 VM that was time syncing fine also exhibits the same behavior when updated to 23.7.1. :o
My NTP log:
2023-08-08T17:56:10-05:00 Informational ntpd Soliciting pool server 198.137.202.56
2023-08-08T17:56:03-05:00 Informational ntpd Soliciting pool server 64.111.99.224
2023-08-08T17:56:01-05:00 Informational ntpd Soliciting pool server 45.41.204.203
2023-08-08T17:55:05-05:00 Informational ntpd Soliciting pool server 74.6.168.73
2023-08-08T17:54:57-05:00 Informational ntpd Soliciting pool server 159.203.158.197
2023-08-08T17:54:57-05:00 Informational ntpd Soliciting pool server 45.55.58.103
2023-08-08T17:54:01-05:00 Informational ntpd Soliciting pool server 216.229.0.50
2023-08-08T17:53:52-05:00 Informational ntpd Soliciting pool server 159.89.86.140
2023-08-08T17:53:52-05:00 Informational ntpd Soliciting pool server 198.137.202.32
2023-08-08T17:52:54-05:00 Informational ntpd Soliciting pool server 204.93.207.12
2023-08-08T17:52:49-05:00 Informational ntpd Soliciting pool server 138.236.128.36
2023-08-08T17:52:45-05:00 Informational ntpd Soliciting pool server 155.248.196.28
2023-08-08T17:51:48-05:00 Informational ntpd Soliciting pool server 198.137.202.56
2023-08-08T17:51:41-05:00 Informational ntpd Soliciting pool server 138.236.128.36
2023-08-08T17:51:38-05:00 Informational ntpd Soliciting pool server 2001:470:b:22d::123
2023-08-08T17:50:41-05:00 Informational ntpd Soliciting pool server 74.6.168.73
2023-08-08T17:50:37-05:00 Informational ntpd Soliciting pool server 64.111.99.224
2023-08-08T17:50:31-05:00 Informational ntpd Soliciting pool server 2620:6:2000:104::48
2023-08-08T17:49:34-05:00 Informational ntpd Soliciting pool server 216.229.0.50
2023-08-08T17:49:30-05:00 Informational ntpd Soliciting pool server 45.55.58.103
2023-08-08T17:49:28-05:00 Informational ntpd Soliciting pool server 2607:f130:0:103:ff:ff:3ce3:d357
2023-08-08T17:48:28-05:00 Informational ntpd Soliciting pool server 204.93.207.12
2023-08-08T17:48:24-05:00 Informational ntpd Soliciting pool server 159.89.86.140
2023-08-08T17:48:22-05:00 Informational ntpd Soliciting pool server 2604:8800:52:81:38:229:52:9
2023-08-08T17:47:21-05:00 Informational ntpd Soliciting pool server 198.137.202.56
2023-08-08T17:47:20-05:00 Informational ntpd Soliciting pool server 138.236.128.36
2023-08-08T17:47:18-05:00 Informational ntpd Soliciting pool server 159.203.158.197
2023-08-08T17:46:18-05:00 Informational ntpd Soliciting pool server 74.6.168.73
2023-08-08T17:46:16-05:00 Informational ntpd Soliciting pool server 64.111.99.224
2023-08-08T17:46:14-05:00 Informational ntpd Soliciting pool server 198.137.202.32
2023-08-08T17:45:13-05:00 Informational ntpd Soliciting pool server 216.229.0.50
2023-08-08T17:45:12-05:00 Informational ntpd Soliciting pool server 45.55.58.103
2023-08-08T17:45:09-05:00 Informational ntpd Soliciting pool server 155.248.196.28
2023-08-08T17:44:07-05:00 Informational ntpd Soliciting pool server 159.89.86.140
2023-08-08T17:44:06-05:00 Informational ntpd Soliciting pool server 204.93.207.12
2023-08-08T17:44:05-05:00 Informational ntpd Soliciting pool server 45.41.204.203
2023-08-08T17:43:01-05:00 Informational ntpd Soliciting pool server 74.6.168.73
2023-08-08T17:43:00-05:00 Informational ntpd Soliciting pool server 45.55.58.103
2023-08-08T17:42:59-05:00 Informational ntpd Soliciting pool server 2001:470:b:22d::123
2023-08-08T17:41:55-05:00 Informational ntpd Soliciting pool server 216.229.0.50
2023-08-08T17:41:55-05:00 Informational ntpd Soliciting pool server 159.89.86.140
2023-08-08T17:41:54-05:00 Informational ntpd Soliciting pool server 2620:6:2000:104::48
2023-08-08T17:40:51-05:00 Informational ntpd Soliciting pool server 204.93.207.12
2023-08-08T17:40:49-05:00 Informational ntpd Soliciting pool server 2607:f130:0:103:ff:ff:3ce3:d357
2023-08-08T17:40:49-05:00 Informational ntpd Soliciting pool server 138.236.128.36
2023-08-08T17:39:45-05:00 Informational ntpd Soliciting pool server 64.111.99.224
2023-08-08T17:39:44-05:00 Informational ntpd Soliciting pool server 2604:8800:52:81:38:229:52:9
2023-08-08T17:39:43-05:00 Informational ntpd Soliciting pool server 198.137.202.56
2023-08-08T17:39:42-05:00 Informational ntpd kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
2023-08-08T17:39:42-05:00 Informational ntpd kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
And the associated status of the pool servers I'm using:
Network Time Protocol Status
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Unreach/Pending 0.north-america.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Unreach/Pending 2.north-america.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Unreach/Pending 3.north-america.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Did you try not using pools ? Disable all entries and try syncing with time.cloudflare.com.
Actually I'll do you one better, your servers don't work. Tried them all, then disabled 2 and added the fourth
NTP syncs just fine with pool.ntp.org
I tried the cloudflare URL and that came up okay with Active Peer status.
Even the default opnsense pools that are in the base config aren't syncing for me though on 23.7.1. Seems like its some kind of issue with pools?
It might be related to this comment https://github.com/geerlingguy/ansible-role-ntp/pull/84#discussion_r584347214.
QuoteSeems like its some kind of issue with pools?
Unsure and frankly I don't see any value running it as an insecure protocol over the internet - and speaking of pools, there's no such thing with NTS.
Chrony with NTS is a much better option that is available now everywhere.
- a minimum of 3 servers should be more than enough or anyone expecting time.cloudflare.com to disappear anytime soon :)
Quote from: allan on August 09, 2023, 03:12:59 AM
It might be related to this comment https://github.com/geerlingguy/ansible-role-ntp/pull/84#discussion_r584347214.
After two years...seems unlikely
Quote from: newsense on August 09, 2023, 03:20:28 AM
After two years...seems unlikely
The pool directive is a recent change, however.
23.7 and prior had the following in ntpd.conf:
server 0.opnsense.pool.ntp.org maxpoll 9
server 1.opnsense.pool.ntp.org maxpoll 9
server 2.opnsense.pool.ntp.org maxpoll 9
server 3.opnsense.pool.ntp.org maxpoll 9
Switching to pool means "restrict source ..." without nopeer is now required according to the man page.
Edit: I just migrated to 23.7.1 and "restrict source ... " was added but nopeer is listed. Adding this line to the Advanced textbox is a workaround until ntpd.conf is patched.
restrict source kod limited nomodify notrap
Yeah it's getting the nopeer in the defaults from somewhere but can't find yet where from, config.xml only has the server names
Quote#
# Autogenerated configuration file
#
tinker panic 0
# Orphan mode stratum
tos orphan 12
# Max number of associations
tos maxclock 10
# Upstream Servers
pool 0.opnsense.pool.ntp.org iburst maxpoll 9
statsdir /var/log/ntp
logconfig =syncall +clockall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap
restrict source kod limited nomodify nopeer notrap
I submitted PR 6724 (https://github.com/opnsense/core/pull/6724). The change worked on my system. I hope they accept it.
Thanks, looks like Franco is already working on a hotfix.
Quote from: newsense on August 09, 2023, 12:52:47 AM
There's no issue here other than a more chatty log.
23.7.1 is a security update first and foremost, and has important fixes as well.
Reverting to 23.7 is ill-advised.
Reverting was just done to test whether the issue disappears, but as you might have realized in the meantime, it was not just a "chatty log" issue.
Thanks, Franco, for the quick hotfix.
Can confirm my NTP pool settings are once again working. Thanks to @allan and @Franco!