Firewall or Panorama NTP status showing "rejected"

Firewall or Panorama NTP status showing "rejected"

51191
Created On 04/19/21 23:01 PM - Last Modified 05/23/23 03:07 AM


Symptom


  • Firewall or Panorama clock is not synchronized with configured NTP server time
  • "show ntp" CLI command is shows status as "rejected" with reachable status "yes"
> show ntp

NTP state:
NTP not synched, using local clock
NTP server: 192.168.0.11
status: rejected
reachable: yes
  • On messages log, "no server suitable for synchronization found" being reported with suspect NTP server reporting offset larger than 1 sec
var/log/messages
mgmt ntpdate[25168]: no server suitable for synchronization found
mgmt ntpdate[25242]: step time server 192.168.0.11 offset 2.249209 sec

 

Environment


  • Palo Alto Firewall or Panorama
  • Supported PAN-OS
  • NTP (Network Time Protocol)

Cause


  • NTP server's "Root Dispersion" time is off by more than 1 second. 
  • NTP "Root Dispersion" is the maximum clock time difference that was observed between local clock and server clock
  • On pcap, the "Root Dispersion" value can be found on NTP packet header as shown below. 
No.     Time       PID     Source       Destination      Protocol Length Info
2  XX YY.488308  0x3841 192.168.0.11    10.14.14.14       NTP      90     NTP Version 3, server

Frame 2: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: HewlettP_b8:25:ae (5c:8a:38:b8:25:ae), Dst: PaloAlto_00:84:94 (24:0b:0a:00:84:94)
Internet Protocol Version 4, Src: 10.10.10.10, Dst: 10.14.14.14
User Datagram Protocol, Src Port: 123, Dst Port: 123
Network Time Protocol (NTP Version 3, server)
    Flags: 0x1c, Leap Indicator: no warning, Version number: NTP Version 3, Mode: server
    [Request In: 1]
    [Delta Time: 0.000392000 seconds]
    Peer Clock Stratum: secondary reference (2)
    Peer Polling Interval: invalid (3)
    Peer Clock Precision: 0.015625 seconds
    Root Delay: 0.031250 seconds
    Root Dispersion: 11.008163 seconds      <<< Root Dispersion time is larger than 1 second
    Reference ID: 192.168.0.11
    Reference Timestamp: Feb 03, 2021 18:41:18.850684499 UTC
    Origin Timestamp: Feb 03, 2021 18:42:04.487880084 UTC
    Receive Timestamp: Feb 03, 2021 18:42:04.490684499 UTC
    Transmit Timestamp: Feb 03, 2021 18:42:04.490684499 UTC

 

Resolution


One of following next steps should resolve the NTP "rejected" status problem. 
  1. Correct the NTP server time that has offset more than 1 second to match local time
  2. Replace problem NTP server with public NTP server as workaround (ex: time.google.com; 0.us.pool.ntp.org, etc). This can be done at GUI: Device > Setup > Services > NTP > NTP Server Address.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VArCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language