0

I'm trying to set System clock synchronized to yes. I constantly see "Timed out waiting for reply from [endpoint:123]" even after a hand full of different endoints.

scanlon@ogserver:~$ timedatectl
               Local time: Fri 2021-01-08 02:37:45 UTC
           Universal time: Fri 2021-01-08 02:37:45 UTC
                 RTC time: Fri 2021-01-08 02:37:45
                Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no

scanlon@ogserver:~$ systemctl status systemd-timesyncd
● systemd-timesyncd.service - Network Time Synchronization
     Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: e
     Active: active (running) since Fri 2021-01-08 01:44:49 UTC; 50min ago
       Docs: man:systemd-timesyncd.service(8)
   Main PID: 4799 (systemd-timesyn)
     Status: "Idle."
      Tasks: 2 (limit: 38041)
     Memory: 1.6M
     CGroup: /system.slice/systemd-timesyncd.service
             └─4799 /lib/systemd/systemd-timesyncd

Jan 08 02:28:15 ogserver systemd-timesyncd[4799]: Timed out waiting for reply from 192.168.0.1:123 (192.168.0.1).

My UFW is open on port 123
     To                         Action      From
     --                         ------      ----
[ 1] 2222/tcp                   ALLOW IN    Anywhere
[ 2] 22/tcp                     DENY IN     Anywhere
[ 3] 30303                      ALLOW IN    Anywhere
[ 4] 1300/tcp                   ALLOW IN    Anywhere
[ 5] 1200/udp                   ALLOW IN    Anywhere
[ 6] 123/tcp                    ALLOW IN    Anywhere
[ 7] 123/udp                    ALLOW IN    Anywhere
[ 8] 2222/tcp (v6)              ALLOW IN    Anywhere (v6)
[ 9] 22/tcp (v6)                DENY IN     Anywhere (v6)
[10] 30303 (v6)                 ALLOW IN    Anywhere (v6)
[11] 1300/tcp (v6)              ALLOW IN    Anywhere (v6)
[12] 1200/udp (v6)              ALLOW IN    Anywhere (v6)
[13] 123/tcp (v6)               ALLOW IN    Anywhere (v6)
[14] 123/udp (v6)               ALLOW IN    Anywhere (v6)

my router's firewall is open in/out on 123.


I have tried multiple NTP endpoints in the config including:
default
google's
some .us one
the NTP server my router shows on its status page
the local gateway address in hopes my router could handle it.

In general my firewall is very locked down but my understanding was that NTP just needed 123 to be successful.

Any suggestions on how to prevent the timeouts to stop or get sync set to yes? I have waited hours with each endpoint to see if it just needed time to take but always came back to no sync and more timeouts in the logs.

DevAroundTheClock
  • 1

2 Answers2

0

My router has a firewall section where you can allow traffic in/out/both by port to 'all addresses'. It also has port forwarding. I had only completed the former and apparently I needed both. Does NTP protocol communication really initialize from the NTP server? I would have thought your own device (from behind the firewall) would ask what time it is and NTP server would be allowed to reply back through the firewall. Is that not the case?

DevAroundTheClock
  • 1
0

This is an old post but wanted to share how I fixed it. Yes, it should allow inbound response from NTP server when NTP client send sync request (outbound traffic) as long as Firewall is stateful and outbound port 123 to all destination IPv4/IPv6 (better to use hostname ntp.ubuntu.com if fw supports it) is allowed.

NOTE: We can only use either ntpd or systemd-timesyncd service but not both, systemd-timesyncd is recommended.

in my case, I had to fix time zone settings first, add firewall rule and then stop and start timedatectl service to force the time sync.

date
timedatectl list-timezones | grep US
timedatectl set-timezone US/Eastern //changed time zone
date
timedatectl status //System clock synchronized: no
systemctl status systemd-timesyncd //it was showing Initiating comms to NTP

Changed firewall settings for outbound UDP port 123 to all ipv4, then...

systemctl status systemd-timesyncd //Now it was showing ideal and timeouts
timedatectl status //still System clock synchronized: no

Then I stopped and started services and then time sync successfully.

date
timedatectl status
systemctl status systemd-timesyncd
systemctl stop systemd-timesyncd
systemctl start systemd-timesyncd
systemctl status systemd-timesyncd //Now it was showing ideal and sync attempted
date
timedatectl status //Now System clock synchronized: yes

I hope this helps.

Thanks,

LuvTech
  • 1