NTP issues - clock is drifting and all NTP server reprt unreach/pending in statu

Started by tdalej, May 28, 2025, 07:51:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 28, 2025, 07:51:46 PM
My time is about 9 minutes off -- compared to two other professionally (more than me at least) managed networks.
The default opnsense pool reported in the logs DNS resolution failure

Error    ntpd    error resolving pool 1.opnsense.pool.ntp.org: Name does not resolve (8)

so I added pool.ntp.org ans us.pool.ntp.org and I'm still seeing status like below.
I do see this and many more servers in the list -- is the "Unreach/Pending" just a side effect of not being in sync?
Although the offset column shows I'm not as far off as it really is ...

I'd really like my gateway to sync up and provide NTP for  the local networks ...






Code Select
Status     Server     Ref ID     Stratum     Type     When     Poll     Reach     Delay     Offset     Jitter
Unreach/Pending     us.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     opnsense.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     134.215.155.177     216.239.35.0     2     u     14     64     7     48.304     +1.936     0.174
Unreach/Pending     158.51.99.19     17.253.26.125     3     u     16     64     7     42.716     +0.857     0.319
Unreach/Pending     72.14.183.239     45.79.1.70     3     u     13     64     7     16.266     +0.373     0.067
Unreach/Pending     74.208.25.46     198.46.254.130     3     u     13     64     7     36.483     +5.648     2.497
May 28, 2025, 08:21:00 PM #1
It takes 'em a bit to sync.
An additional option: time.cloudflare.com. Pool server quality varies, so I like to have a potentially unrelated carrier option.
May 28, 2025, 08:52:36 PM #2 Last Edit: May 28, 2025, 10:43:25 PM by OPNenthu
There's definitely a DNS issue to look into because the default pools do resolve.

Code Select
C:\>nslookup 1.opnsense.pool.ntp.org
Server:  UnKnown
Address:  192.168.30.1

Non-authoritative answer:
Name:    1.opnsense.pool.ntp.org
Addresses:  198.137.202.56
          212.227.240.160
          167.248.62.201
          23.186.168.127

As pfry said it takes some time, but you should eventually get some peers.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE i210
May 29, 2025, 10:42:15 PM #3
How long does it take to sync up?  Still almost 10 minutes out from local cell tower service time and internal time service from where I work.

Code Select

Network Time Protocol Status
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Unreach/Pending us.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Unreach/Pending opnsense.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Outlier 134.215.155.177 216.239.35.0 2 u 410 512 377 47.497 +3.974 1.502
Outlier 158.51.99.19 17.253.26.125 3 u 302 512 377 41.426 +1.647 1.390
Outlier 72.14.183.239 127.67.113.92 2 u 42 512 377 16.133 +2.344 2.951
Candidate 108.61.215.221 162.159.200.1 4 u 511 512 377 22.939 +3.755 0.809
Candidate 192.155.94.72 132.163.96.2 2 u 33 512 377 24.175 +4.978 1.317
Outlier 62.72.0.70 209.151.225.100 3 u 163 512 377 50.970 -0.212 4.214
Active Peer 45.79.111.114 127.67.113.92 2 u 258 512 377 56.906 +2.950 1.572
Candidate 72.14.183.39 80.72.67.48 3 u 413 512 377 16.710 +3.197 2.877
Candidate 162.159.200.1 10.162.8.47 3 u 168 512 377 10.624 +2.746 5.546
May 29, 2025, 11:01:42 PM #4 Last Edit: May 29, 2025, 11:06:23 PM by OPNenthu
If you mean that your OPNsense box itself is out of sync, then I'm out of ideas.  It looks like it should be syncing based on your log.  Check for any additional errors under Services->Network Time->Log File.

If you mean that your network clients are out of sync, then one thing to keep in mind is that they don't automatically take their time from OPNsense.  You have to manually configure each client to use your OPNsense IP as the time server if that's your goal.  You can also configure your DHCP options to offer your OPNsense IP as the time server, but clients are not required to use that, IIRC.  Most operating systems are pre-configured to use some public time server.  For example Windows clients use 'time.windows.com' unless you explicitly change it.  (BTW, it's possible that whatever your clients are using could be failing to resolve in DNS or getting blocked by firewall rules.)
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE i210
May 29, 2025, 11:06:18 PM #5
I know from my experience that if the clock drift is too far out (say >5 minutes) the system will not sync.  In that instance you will need to manually set the time; then allow the NTP system to keep itself in-sync with the Stratum server(s) of choice.
May 30, 2025, 09:00:13 PM #6
I'd say that you should set the time to within a minute, and then see if sync is happening and it corrects.

You could also resolve one of those time sources and sync via it's IP address. All my stuff syncs to a local GNSS server that I have, makes life easier.
Print
Go Up Pages1
User actions