Connecting to Local NTP server with usg flex 500

AlexRiviera · April 2021

When trying to connect to my local ntp server the zywall shows a timeout error. Connecting to ntp servers in the internet is working. Other devices as switches (zyxel) or PC’s can connect to the local ntp server. Is there a known issue that the zywall is not able to connect to local ntp servers?

Zyxel_Can · April 2021

Hi @AlexRiviera,

I tested this symptom in our labs it works normal.

Can you share some information with us;

1- Do you have route to your internal NTP Server?

Can you test with following path;

Maintenance > Diagnostics > Network Tool > PING IPv4

2- Did you try to disable your NTP Server’s firewall or open port for NTP (UDP port 123)

3- Can you clarify that related service is running on NTP Server?(e.g. Windows Time)

4- For troubleshooting purposes, can you capture packets when syncing Time with NTP Server?

For that you can find the following path;

Maintenance > Diagnostics > Packet Capture > Choose Interfaces > Capture

5- If public NTP servers work properly but your local NTP Server can’t sync time it’s probably related to your NTP Server’s configuration.

Best regards.

AlexRiviera · April 2021

Thx for your extended Feedback.

1- Do you have route to your internal NTP Server?
-> Yes i get answer and 0% packetloss. So a route is there.

2- Did you try to disable your NTP Server’s firewall or open port for NTP (UDP port 123)

Firewall where ntp server is running is "down" / not running

3- Can you clarify that related service is running on NTP Server?(e.g. Windows Time)

Yes my Workstation as other servers are getting sync from ntp. (Tested again)

4- For troubleshooting purposes, can you capture packets when syncing Time with NTP Server?

Will do that.

The ntp server is running on a vlan in/on ethernet (zone) lan1. From which interface is the ntp client on the zywall making the request? WAN interface?

AlexRiviera · April 2021

Pakets captured, seems like the timeserver is giving an answer:

Frame 2: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)

Ethernet II, Src: NTPServer [entry modified because of privacy], Dst: ZyxelCom_[entry modified because of privacy]
Internet Protocol Version 4, Src: [correct IP] , [Dst: correct IP]

User Datagram Protocol, Src Port: 123, Dst Port: 53011

Network Time Protocol (NTP Version 4, server)

Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server

[Request In: 1]

[Delta Time: 0.000172000 seconds]

Peer Clock Stratum: secondary reference (2)

Peer Polling Interval: invalid (3)

Peer Clock Precision: 0.000000 seconds

Root Delay: 0.016098 seconds

Root Dispersion: 0.045975 seconds

Reference ID: 84.16.67.12

Reference Timestamp: Apr 6, 2021 18:04:03.410726043 UTC

Origin Timestamp: Apr 6, 2021 18:37:40.054865730 UTC

Receive Timestamp: Apr 6, 2021 18:37:40.053579426 UTC

Transmit Timestamp: Apr 6, 2021 18:37:40.053663200 UTC

Any ideas what's going wrong here?

Zyxel_Can · April 2021

Hi @AlexRiviera,

I tested put NTP Server into VLAN. It can still sync time.

Can you try to capture packets for LAN interfaces and share in this topic?

Best regards.

AlexRiviera · April 2021

Hi, thx for the answer. Well the capture is in my post above. Do you also need the request?

Zyxel_Can · April 2021

Hi @AlexRiviera,

Can you capture packets from LAN interfaces and send .cap file to me by private message so I can check for you?

AlexRiviera · April 2021

check your mailbox please.

Zyxel_Can · April 2021

Hi @AlexRiviera,

Unfortunately attached file is not readable.
Can you try following steps for .cap file and send me again by private message:

1 -First, start capturing packets:

In Web GUI, Maintenance > Diagnostics > Packet Capture > Capture:

Image: https://us.v-cdn.net/6029482/uploads/editor/q3/snxe5hquuiq8.png

2- Sync time with NTP Server:

Image: https://us.v-cdn.net/6029482/uploads/editor/y6/regzsbuz4dut.png

3- After synchronizing is failed go back to Maintenance > Diagnostics > Packet Capture > Capture menu and stop capturing.

Image: https://us.v-cdn.net/6029482/uploads/editor/bg/21q812u4lled.png

4- Download the captured .cap file and send me by private message without changing the extension.

Image: https://us.v-cdn.net/6029482/uploads/editor/q3/jhrqxbm6cd64.png

AlexRiviera · April 2021

cap is not allowd in PN. So i zipped it ok?

Zyxel_Can · April 2021

Hi @AlexRiviera,

In the packets you provided, I see request and reply.

In the second cycle's response I see:

=======================================================

Flags: 0xe4, Leap Indicator: unknown (clock unsynchronized), Version number: NTP Version 4, Mode: server

Reference ID: Unidentified reference source 'RATE'

=======================================================

What is the NTP Server’s operating system?

In the RFC document section 7.4 you can see explanation of "RATE" code. (https://tools.ietf.org/html/rfc5905)

Can you try to sync your time with a Windows Client?

For that you have to modify following registry entries;

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer\Enabled = 1

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags = 5

Then restart Windows Time service in the services.

Connecting to Local NTP server with usg flex 500

Comments

Categories

Security Highlight

Security Help Center