How to troubleshoot NTP server connection failure

How to troubleshoot NTP server connection failure

47616
Created On 06/04/24 16:51 PM - Last Modified 06/07/24 16:30 PM


Objective


  • Troubleshoot connection failure to NTP server

Environment


  • NGFW
  • NTP server

Procedure


  1. Review the configuration of the NTP server: navigate to the UI: Device > Setup > Services > NTP > NTP Server Address or use CLI: 
    show ntp
    1. Check the less mp-log dagger.log if any errors are found in the output of the command above.
  2. Check the server route of the firewall to the NTP server: Device > Setup > Services > Service Route Configuration. Look for NTP.
  3. Ensure that the NTP daemon is running for larger platforms with a separate DP and MP where NTP sync daemon is responsible of keeping MP and DP time in sync: 
    show system software status | match ntp
    1. If the NTP daemon is not running and there is a need to manually restart it, use: 
      debug software restart process ntp
  4. Check if the firewall can reach the NTP server using ping or traceroute.
    1. If the service route to the NTP server is the management interface: 
      ping host <IP address of the NTP server>
traceroute host <IP address of the NTP server>
    2. If the service route to the NTP server is the dataplane interface: 
      ping source <IP address of the dataplane interface> host <IP address of the NTP server>
traceroute source <IP address of the dataplane interface> host <IP address of the NTP server>
  5. Consider replacing the NTP server configuration with another NTP server if unable to resolve the connection to the currently configured NTP server.
  6. If the NTP server is configured using FQDN:
    1. Ensure that the DNS server is properly configured on the firewall: navigate to the UI: Device > Setup > Services > DNS Settings > Primary DNS Server and/or Secondary DNS Server.
    2. Ensure that the firewall can resolve the IP address of the NTP server
      1. If the service route to the NTP server is the management interface: 
        ping host <FQDN of the NTP server>
traceroute host <FQDN of the NTP server>
      2. If the service route to the NTP server is the dataplane interface: 
        ping source <IP address of the dataplane interface> host <FQDN of the NTP server>
  7. If needing to troubleshoot further perform a packet capture from the firewall:
    1. If the service route to the NTP server is the management interface: use the CLI command tcpdump.
    2. If the service route to the NTP server is the dataplane interface: use the dataplane packet capture.
  8. If you decide not to use the NTP server and set a manual time on the firewall:
    1. Delete the NTP configuration on the firewall.
    2. Set or Change System Clock Time on Palo Alto Networks Firewall.
    3. Commit your configuration change.

Additional Information


The troubleshooting steps can also apply to Panorama with the below notes:

  • For UI navigation replace Device with Panorama.
  • Performing a packet capture using the UI on a dataplane interface is only applicable to the firewall.


Traffic Log Timestamps are Different from System Clock Time
Firewall or Panorama NTP status showing "rejected"
Error in NTP Sync Status Display
NTP Server error: An error occured.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HDIOCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language