Troubleshooting NTP Time Synchronization
Novell Cool Solutions: Trench
By Siddharth Jagtiani
Digg This -
Posted: 18 Jun 2003
The ProblemTime does not synchronize with Consolidated Support Pack 9 (CSP9) the way it used to on CSP8. I had to rev back the timesync.nlm to CSP8 timesync.nlm.
The SolutionMost probably you are contacting a NTP (Network Time Protocol) source outside your firewall for time information. This server should be the only server that is contacting a external source for time or your network will suffer from high bandwidth utilization.
Timesync with CSP8 opens port 123 for sending requests and for receiving requests from other servers. This means that if you are contacting other servers for time through your firewall, external servers can also contact you for time. This may not be desireable. Hence, in CSP9 timesync sends requests on a freshly opened dynamic port to the time provider's 123 port. And receives time requests on its 123 port.
So when timesync sends a request for time, Src Port = dynamic and Dest port = 123. For this purpose you need to open your firewall for Dest Port 123 for outgoing packets.
But, on the firewall you cannot configure a filter for Src port = dynamic port. Hence you need to configure timesync to use a statically designated port for that one server that is going out for time. You can do this but "set timesync NTP Client port = <port number>". Then you need to give this <port number> to your firewall engineer to configure it to allow packets going out from <server ipa>:<src port=port number> to <time provider ipa>:123. And also allow the packet back.
What if <time provider ipa> sends a time request to <server ipa>? Since this request is be on port 123, your firewall will disallow it.
What if <time provider ipa> sends a time request to <server ipa> on the NTP Client port? This request will be on NTP Client Port, so timesync will discard it, and throw a message "NetWare Peering packet <time provider ipa>. Discarding the packet.".