TurnKey Linux Virtual Appliance Library

ntpdate using something other than UDP 123?

stephen_hill's picture

So I get the following error on my Tunkey server when attempting a backup:

 

##########################
## FIXCLOCK HOOK FAILED ##
##########################

Amazon S3 and Duplicity need a UTC synchronized clock so we invoked the
following command::

ntpdate -u pool.ntp.org

Unfortunately, something went wrong...

2 Aug 17:37:34 ntpdate[16440]: no server suitable for synchronization found

 

When I ask our network admins to open UDP 123 the error remains. In fact I can't  ntpdate -u from anywhere outside our network. If I open all ports to a specific time server it works!

Any ideas for a solution?

Jeremy Davis's picture

Do you have a proxy?

Sometimes proxies can cause problems. Although it seems strange that if you open all ports to a specific server it works. AFAIK TKL uses the default NTP port (UDP 123 - as you obviously already know).

Stephen Hill's picture

This is the answer I've

This is the answer I've recieved back from higher up. Does this make any sense to anybody?

"My guess is that your ACL only allows port 123, but you're using -u, which instructs ntp to use a non-privledged port."

Liraz Siri's picture

Sniff the network

I recommend you try and sniff the network using a tool such as tcpdump or wireshark. That should tell you exactly what is going on and what ports your admin needs to open.
Stephen Hill's picture

Sorry for the delay in

Sorry for the delay in getting back. I'm not an expert at reading tcpdump files, but this line caught my attention
 

User Datagram Protocol, Src Port: 60896 (60896), Dst Port: ntp (123)

Is that indicating it's requesting the time on 123, but it's coming back on a high random port? A second run showed another random high numbered port as the Src Port.

Guest's picture

unprivileged ports?

I stumbled accross this somewhat old question but I'll just leave this here in case someone else reads this.

From man ntpdate

-u     Direct ntpdate to use an unprivileged port for outgoing packets.

 

unprivileged ports are higher than 1024 ports. So opening port 123 wont do any good beucase ntpdate will user a random >1024 port.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)