problem with ntp in a DMZ
Andrew Bacchi
bacchi at rpi.edu
Mon Aug 4 15:59:16 UTC 2008
Bill,
I'm not certain this is your problem, but . . .
AFAIK, 192.x.x.x is a non routable (internal) address. It's possible
that your DNS server or NTP server is blocking that address from the
DMZ. Perhaps try starting a VPN client on the DMZ machine and see if
that clears it up. Also, check that SELINUX is not interfering.
Good luck.
Tangren, Bill wrote:
> I have two essentially identical servers, RHEL ES 4.6 fully patched. The
> only difference is, one is in a DMZ and the other is not. Both can do an
> nslookup on the time server I use (tick.usno.navy.mil), but when I turn
> off ntp and use the ntpdate command, it fails on the server in the DMZ
> and succeeds on the one that is not. Here is the output from ntpdate in
> debug mode. First the one that succeeds:
>
>
> [root at ceres ~]# ntpdate -d tick.usno.navy.mil
> 4 Aug 08:35:11 ntpdate[16244]: ntpdate 4.2.0a at 1.1190-r Wed Apr 23
> 07:36:43 EDT 2008 (1) Looking for host tick.usno.navy.mil and service
> ntp host found : ntp0.usno.navy.mil
> transmit(192.5.41.40)
> receive(192.5.41.40)
> transmit(192.5.41.40)
> receive(192.5.41.40)
> transmit(192.5.41.40)
> receive(192.5.41.40)
> transmit(192.5.41.40)
> receive(192.5.41.40)
> transmit(192.5.41.40)
> server 192.5.41.40, port 123
> stratum 1, precision -20, leap 00, trust 000 refid [USNO], delay
> 0.02966, dispersion 0.00238 transmitted 4, in filter 4
> reference time: cc4175f6.c33a64a3 Mon, Aug 4 2008 8:35:02.762
> originate timestamp: cc4175ff.647a9322 Mon, Aug 4 2008 8:35:11.392
> transmit timestamp: cc4175ff.62961c36 Mon, Aug 4 2008 8:35:11.385
> filter delay: 0.02966 0.03514 0.03532 0.03551
> 0.00000 0.00000 0.00000 0.00000 filter offset: -0.00061
> 0.002036 0.002256 0.002382
> 0.000000 0.000000 0.000000 0.000000 delay 0.02966, dispersion
> 0.00238 offset -0.000610
>
> 4 Aug 08:35:11 ntpdate[16244]: adjust time server 192.5.41.40 offset
> -0.000610 sec
>
>
> Now, the one that fails:
>
> [root at aa ~]# ntpdate -d tick.usno.navy.mil
> 4 Aug 07:34:12 ntpdate[26513]: ntpdate 4.2.0a at 1.1190-r Wed Apr 23
> 07:36:43 EDT 2008 (1) Looking for host tick.usno.navy.mil and service
> ntp host found : 192.5.41.40
> transmit(192.5.41.40)
> transmit(192.5.41.40)
> transmit(192.5.41.40)
> transmit(192.5.41.40)
> transmit(192.5.41.40)
> 192.5.41.40: Server dropped: no data
> server 192.5.41.40, port 123
> stratum 0, precision 0, leap 00, trust 000 refid [192.5.41.40], delay
> 0.00000, dispersion 64.00000 transmitted 4, in filter 4
> reference time: 00000000.00000000 Thu, Feb 7 2036 1:28:16.000
> originate timestamp: 00000000.00000000 Thu, Feb 7 2036 1:28:16.000
> transmit timestamp: cc4167b7.6069a4df Mon, Aug 4 2008 7:34:15.376
> filter delay: 0.00000 0.00000 0.00000 0.00000
> 0.00000 0.00000 0.00000 0.00000 filter offset: 0.000000
> 0.000000 0.000000 0.000000
> 0.000000 0.000000 0.000000 0.000000 delay 0.00000, dispersion
> 64.00000 offset 0.000000
>
> 4 Aug 07:34:16 ntpdate[26513]: no server suitable for synchronization
> found
>
> You can see that in the latter case, it found the ntp server, but it got
> no response from the transmit commands.
>
> I noticed this problem just after updating to RHEL ES 4.6, though may
> well have been coincidental. I talked to the firewall guy, and he says
> that the port is open both ways into and out of the DMZ and no error
> messages show up in the firewall logs when I run this command.
>
> Can anyone point me in the right direction to solving this mystery?
>
>
> ---
> Bill Tangren
> U.S. Naval Observatory
>
>
>
--
veritatas simplex oratio est
-Seneca
Andrew Bacchi
Systems Programmer
Rensselaer Polytechnic Institute
phone: 518.276.6415 fax: 518.276.2809
http://www.rpi.edu/~bacchi/
More information about the redhat-list
mailing list