Constant queries to NTP server every minute

[NTPTime]

Doing tcpdump -i igb1 -n where igb1 is WAN interface, as default, I see every minute 4 NTPv4 queries originating the IP of the firewall.
I've already set as adavanced options in services_ntpd.php configuration page
minpoll 11
maxpoll 12

Still after a complete reboot there are the NTP queries every minute.

Whats wrong here?

[Fright]

I've already set as adavanced options in services_ntpd.php configuration page
minpoll 11
maxpoll 12

not sure if you can just specify these options in "Advanced". since they only make sense as part of the configuration commands (pool, server, peer etc.)

so i think you can try to leave one (dummy) server in Time Servers list and mark it as "do not use" and then add servers in Advanced field with full server command syntax  (including minpoll/maxpoll values desired). not tested

[meyergru]

According to NTP documentation, minpoll and maxpoll options are on the same line as the server name with defaults of 6 and 10, respectively.

You can only specify a server name from the gui, and in /usr/local/etc/inc/plugins.inc.d/ntpd.inc, you can see that "maxpoll 9" is appended, along with iburst, prefer and noselect options. Thus, minpoll ist kept at its default of 6 (64s), which is what you see.

I tried to append " minpoll 8" directly to the server name - this comes out differently than expected (exposing an interesting bug in the GUI), but you could probably modify the config file in that way to achieve the wanted result.

[WN1X]

Another option is to disable NTP and install the Chrony plugin.

[meyergru]

That does not help the polling interval, as the default is 64 seconds for chrony as well.

[NTPTime]

Thanks for the ideas. Don't seem to work  :'(

Disabled all default upstream servers and added in advanced configuration section

Code Select Expand


0.opnsense.pool.ntp.org minpoll 11 maxpoll 12 prefer
1.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
2.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
3.opnsense.pool.ntp.org  minpoll 11 maxpoll 12


Code Select Expand


cat /var/etc/ntpd.conf
#
# Autogenerated configuration file
#

tinker panic 0
# Orphan mode stratum
tos orphan 12


# Upstream Servers
server 0.opnsense.pool.ntp.org maxpoll 9 prefer noselect
server 1.opnsense.pool.ntp.org maxpoll 9 noselect
server 2.opnsense.pool.ntp.org maxpoll 9 noselect
server 3.opnsense.pool.ntp.org maxpoll 9 noselect


disable monitor
statsdir /var/log/ntp
logconfig =syncall +clockall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap


# custom options
0.opnsense.pool.ntp.org minpoll 11 maxpoll 12 prefer
1.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
2.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
3.opnsense.pool.ntp.org  minpoll 11 maxpoll 12

But still every minute NTP requests orginating from firewall IP.

[chemlud]

Missconfigured client in LAN? Which servers are polled?

[NTPTime]

There is no NAT and only 1 LAN client (Linux debian host) for accessing the OPNsense firewall. So traffic must be generated by OPNsense itself. If I use ntpdate -q 0.opnsense.pool.ntp.org on the client I see in TCP dump the IP of the client and not of OPNsense.

Had a configuration error in the config. In the advanced section it must be

Code Select Expand


server 0.opnsense.pool.ntp.org minpoll 11 maxpoll 12 prefer
server 1.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
server 2.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
server 3.opnsense.pool.ntp.org  minpoll 11 maxpoll 12


But even after correcting this, access remains.

It might be even another problem. If I use

Code Select Expand


ntpdate -q 127.0.0.1
server 127.0.0.1, stratum 16, offset +0.000012, delay 0.02576
21 Nov 13:38:13 ntpdate[94238]: no server suitable for synchronization found

So ntp seems not to get synchronized and that could be the reason it tries every minute to get NTP time. When using the default config it could use 127.0.0.1 as time source.
Orphan mode is set to 12, so stratum should be 12 and not 16 if something goes wrong.

It seems no network problem because directly querying the NTP server works.

Code Select Expand


ntpdate -q 0.opnsense.pool.ntp.org
server 136.243.66.91, stratum 2, offset +0.000677, delay 0.04018
server 136.243.7.20, stratum 3, offset +0.000930, delay 0.04022
server 131.234.220.232, stratum 1, offset +0.002389, delay 0.04488
server 178.215.228.24, stratum 2, offset +0.004708, delay 0.04243
21 Nov 13:38:07 ntpdate[72851]: adjust time server 131.234.220.232 offset +0.002389 sec


I'm not a NTP expert, so whats wrong here?

[Chiny]

I'm too new to OPNsense to be sure but from ntpd experience, this does have a whiff of a firewall problem.   How about trying:
ntpdate -d 127.0.0.1
and making sure you get both transmit and receive back ?   That should answer the firewall question.

[meyergru]

What does 'ntpq -p' tell you?

If it does not show you any servers, it is a firewall problem. I tried to monitor port 123 and do not see requests every minute. So it looks as if you do not get answers back. TCP is used via TCP and UDP, maybe ntpdate uses TCP (which works) ntpd uses UDP?

[NTPTime]

Code Select Expand


ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
46.165.252.57 ( 254.48.138.1     2 u  286  512  377   10.307   -2.459   0.131
ntp-master.sasg 40.179.132.91    2 u  183  512  377   16.166   -2.988   0.673
rondra.lf-net.o 131.188.3.221    2 u  270  512  377   13.263   -2.691   0.119
vsrv02141.custo 85.220.190.246   3 u  475  512  377   15.217   -2.772   0.183
*ec2-3-64-117-20 131.188.3.221    2 u  38m  68m  377   14.804   -0.597   0.799
+ntp2.m-online.n 212.18.1.106     2 u 1592  68m  377   16.351   -2.385   0.747
+mx.ack512.net   237.17.204.95    2 u  35m  68m  377   14.864   -2.634   1.009
-stratum2-2.NTP. 129.70.137.82    2 u  36m  68m  377   17.166   -4.311   0.403


Using ntpdate -q <FW-IP> on the client now reports a stratum of 3 and adjusts time. Very strange. So it seems it needed some time to "warm up".

But two problems remain.
a) There are less, but still too much requests outgoing from the Firewall to NTP Server. With minpoll 11 it should be maximum one request about every 34 minutes per server. However in less than half an hour there are much more requests

Code Select Expand


13:13:55.513480 IP <FW-IP>.123 > 46.165.252.57.123: NTPv4, Client, length 48
13:13:55.523772 IP 46.165.252.57.123 > <FW-IP>.123: NTPv4, Server, length 48
13:14:08.506500 IP <FW-IP>.123 > 188.68.36.203.123: NTPv4, Client, length 48
13:14:08.519856 IP 188.68.36.203.123 > <FW-IP>.123: NTPv4, Server, length 48
13:15:37.544511 IP <FW-IP>.123 > 46.235.112.25.123: NTPv4, Client, length 48
13:15:37.560575 IP 46.235.112.25.123 > <FW-IP>.123: NTPv4, Server, length 48
13:19:53.544466 IP <FW-IP>.123 > 185.11.138.90.123: NTPv4, Client, length 48
13:19:53.559624 IP 185.11.138.90.123 > <FW-IP>.123: NTPv4, Server, length 48
13:22:36.544503 IP <FW-IP>.123 > 46.165.252.57.123: NTPv4, Client, length 48
13:22:36.554784 IP 46.165.252.57.123 > <FW-IP>.123: NTPv4, Server, length 48
13:23:06.544517 IP <FW-IP>.123 > 188.68.36.203.123: NTPv4, Client, length 48
13:23:06.557841 IP 188.68.36.203.123 > <FW-IP>.123: NTPv4, Server, length 48
13:24:37.494450 IP <FW-IP>.123 > 46.235.112.25.123: NTPv4, Client, length 48
13:24:37.510702 IP 46.235.112.25.123 > <FW-IP>.123: NTPv4, Server, length 48
13:28:44.544531 IP <FW-IP>.123 > 185.11.138.90.123: NTPv4, Client, length 48
13:28:44.559751 IP 185.11.138.90.123 > <FW-IP>.123: NTPv4, Server, length 48
13:31:27.513172 IP <FW-IP>.123 > 46.165.252.57.123: NTPv4, Client, length 48
13:31:27.523540 IP 46.165.252.57.123 > <FW-IP>.123: NTPv4, Server, length 48
13:31:51.493193 IP <FW-IP>.123 > 188.68.36.203.123: NTPv4, Client, length 48
13:31:51.506546 IP 188.68.36.203.123 > <FW-IP>.123: NTPv4, Server, length 48
13:33:16.544532 IP <FW-IP>.123 > 46.235.112.25.123: NTPv4, Client, length 48
13:33:16.560865 IP 46.235.112.25.123 > <FW-IP>.123: NTPv4, Server, length 48
13:37:47.517137 IP <FW-IP>.123 > 185.11.138.90.123: NTPv4, Client, length 48
13:37:47.532543 IP 185.11.138.90.123 > <FW-IP>.123: NTPv4, Server, length 48
13:40:20.534140 IP <FW-IP>.123 > 46.165.252.57.123: NTPv4, Client, length 48
13:40:20.544507 IP 46.165.252.57.123 > <FW-IP>.123: NTPv4, Server, length 48
13:40:30.487396 IP <FW-IP>.123 > 188.68.36.203.123: NTPv4, Client, length 48
13:40:30.501628 IP 188.68.36.203.123 > <FW-IP>.123: NTPv4, Server, length 48
13:41:29.498253 IP <FW-IP>.123 > 3.64.117.201.123: NTPv4, Client, length 48
13:41:29.513046 IP 3.64.117.201.123 > <FW-IP>.123: NTPv4, Server, length 48
13:42:16.505121 IP <FW-IP>.123 > 46.235.112.25.123: NTPv4, Client, length 48
13:42:16.521219 IP 46.235.112.25.123 > <FW-IP>.123: NTPv4, Server, length 48
13:43:55.484145 IP <FW-IP>.123 > 129.70.132.35.123: NTPv4, Client, length 48
13:43:55.504680 IP 129.70.132.35.123 > <FW-IP>.123: NTPv4, Server, length 48
13:45:03.544527 IP <FW-IP>.123 > 136.243.229.3.123: NTPv4, Client, length 48
13:45:03.559226 IP 136.243.229.3.123 > <FW-IP>.123: NTPv4, Server, length 48




b) Advanced section will be removed in a future version, so reducing the requests won't be possible anymore.

[meyergru]

It seems like you have more than 4 server lines configured or you added them dynamically.
Maybe the other servers get added by DHCP on your WAN connection? Or did you not enable "Deny state modifications (i.e. run time configuration) by ntpq and ntpdc" and "Deny packets that attempt a peer association"?

Whatever you configured, the output of "ntpq -p" shows the first four peers as having poll=512s, which is 2^9, while only the last four have 68m, which is 2^12. And it is exactly the first IP which shows up twice in 9 minutes, which corresponds to 512s.

So it looks more like a question of how those four additional servers get into your configuration than ntpd misbehaving.

[NTPTime]

Thanks for shading light into this.

There is no DHCP on WAN connection. IP is configured manually.
Options "Deny state modifications (i.e. run time configuration) by ntpq and ntpdc" and "Deny packets that attempt a peer association" are enabled.

Any other ideas to figure out how these ntp servers got configured?

[meyergru]

The DNS aliases X.opnsense.pool.ntp.org resolve to multiple addresses, some of which are IPv6, so maybe that explains why there are more peers than configured. However, even if that is the case, I wonder why some have poll=9 and others poll=12.

You could try to use the IPs directly in the config to rule out DNS. Other than that, you would have to look through the code to see if any scripts add more peers, like rc.newwanip as a candidate.

Or you could increase ntpd logging for any hints.

[NTPTime]

Here is the complete ntpd config file.

Code Select Expand


#
# Autogenerated configuration file
#

tinker panic 0
# Orphan mode stratum
tos orphan 12


# Upstream Servers
server 0.opnsense.pool.ntp.org maxpoll 9 prefer noselect
server 1.opnsense.pool.ntp.org maxpoll 9 noselect
server 2.opnsense.pool.ntp.org maxpoll 9 noselect
server 3.opnsense.pool.ntp.org maxpoll 9 noselect


disable monitor
statsdir /var/log/ntp
logconfig =syncall +clockall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap


# custom options
server 0.opnsense.pool.ntp.org minpoll 11 maxpoll 12 prefer
server 1.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
server 2.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
server 3.opnsense.pool.ntp.org  minpoll 11 maxpoll 12


OPNsense is a fresh install so thats very strange where the other servers originate from. There is no IPv6 configured so there can't be made a connection via IPv6.