NTP not syncing and server status showing as Rejected after upgrading to 10.1.10

NTP not syncing and server status showing as Rejected after upgrading to 10.1.10

15651
Created On 12/22/23 05:22 AM - Last Modified 06/25/24 21:08 PM


Symptom


  • NTP is not synched and status is showing as rejected 
admin@fw1> show ntp

NTP state:
NTP not synched, using local clock
NTP server: x.x.x.x
status: rejected
reachable: no
authentication-type: none
NTP server: x.x.x.x
status: rejected
reachable: no
authentication-type: none

 

Environment


  • Palo Alto Firewalls or Panorama
  • PANOS 10.x
  • NTP

Cause


DNS server is unreachable or DNS resolution is taking more than 5 sec.

Resolution


Follow below steps to resolve the issue:

  1. Check whether both the primary and secondary DNS are reachable using the CLI command.
>ping host <primary dns server>
  1. If found any delay or not reachable to DNS server, configure reachable DNS servers, then check NTP status.
  2. If DNS are reachable, check if the NTP server is reachable
  3. If the DNS resolution is delayed more than 5 seconds, then too the NTP server will fail. So configure DNS and NTP servers that are reachable/responsive.


      Additional Information


      Whether it is FQDN or IP is configured for NTP server, the "ntpq" command which is Linux based does DNS lookup.
      If DNS lookup completes fast, then NTP sync shows up soon otherwise it will timeout and result in error or unreachable.
      Other users also viewed:
      Actions
      • Print
      • Copy Link

        https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WJeCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail