And I Thought Installing NTP Would be Fun....

And I Thought Installing NTP Would be Fun....

Post by Paul L. Ri » Wed, 02 Aug 1995 04:00:00



So, I wanted to get a time server up and running to get all our servers in
sync.  This is turning out to be a very large pain in the ...., and I
don't know why.  We are running xntpd 3.4v on BSDI 1.1. This computer is
working currently as a WWW server, so networking is configured correctly.
The kicker is we are running behind a firewall, but have the correct NTP
port defined (we think).

The following is the ntp.conf for our server....  Looing at all the
README's, and man pages etc, it looks as though it should be correct.

  www-dev-ring {148} cat /etc/ntp.conf

#
##############################################################################
#
#       ntp.conf
#       for timeserv.aaped.com          created 28 Jul 95
#                                       by Paul L. Ring
#                                       CSA - ARCH
#
#       ntp.conf - configuration file for ntpd
#       (expected to operate at stratum 3)
#
##############################################################################

##############################################################################
#
#       3 external servers entered to provide our campus sync
#
##############################################################################




##############################################################################
#
#       driftfile location
#
##############################################################################

driftfile /etc/ntp.drift

##############################################################################
#
#       To enable the monitoring feature uncomment the following line:
#
##############################################################################

monitor yes
pll yes
stats yes

##############################################################################
#
#       Specify mode-6 and mode-7 trusted keys
#               ** Need these for ntpq and xntpres
#
##############################################################################

requestkey 65535                # for mode-7 requests
controlkey 65534                # for mode-6 requests

##############################################################################
#
#       The following 3 entries control access to the NTP server.
#
#       1) By default, don't trust and don't allow modifications
#
##############################################################################

restrict default notrust nomodify

##############################################################################
#
#       2) Trust the following for time, but not modification
#
##############################################################################

restrict ntp-2.mcs.anl.gov nomodify
restrict nss.unet.umn.edu
restrict ntp-2.cso.uiuc.edu nomodify

##############################################################################
#
#       3) Allow unrestricted access to the following
#
##############################################################################

restrict 127.0.0.1                      # local address is unrestricted..
restrict xxx.x.xx.x                    # local address is unrestricted..

##############################################################################
#
#       specify host name resolver data
#
##############################################################################

resolver /usr/sbin/xntpres
keys /etc/ntp.keys
requestkey 65535

*** end of ntp.conf ***

When running xntpd with debugging level two, it appears that xntpres is
resolving the external ntp server site names (ntp-2.cso.uiuc.edu,
nss.unet.umn.edu, and ntp-2.mcs.anl.gov ) to the correct IP addresses,
however, our ntp server does not appear to be getting anything back from
the external server sites.  See the packets returning from the requests
below:

   sendpkt(128.174.22.4, 0.0.0.0, 48)
   transmit to 128.174.22.4
   sendpkt(134.84.84.84, 0.0.0.0, 48)
   transmit to 134.84.84.84
   sendpkt(140.221.9.6, 0.0.0.0, 48)
   transmit to 140.221.9.6
   input_handler: fd=5 length 48

Also, using ntpq's peer query I get the following:

ntpq> peer
     remote           refid      st t when poll reach   delay   offset    disp
==============================================================================
 glock.gw.uiuc.e 0.0.0.0         16 -    -   64    0     0.00    0.000 16000.0
 nss.unet.umn.ed 0.0.0.0         16 -    -   64    0     0.00    0.000 16000.0
 mcs.anl.gov     0.0.0.0         16 -    -   64    0     0.00    0.000 16000.0

Which seems to further indicate that I am not receiving anything.

Any suggestions on where to look for common gotcha's (the FAQ didn't seem
to have anything), or are there other tools that would help??

--
//

//  The Center for Professional Education        | Voice: (708) 444-4591
//      Arthur Andersen & Co., S.C.              | Fax  : (708) 444-4873
//      1405 North Fifth Avenue
//      St Charles Il 60174-1264
//

 
 
 

And I Thought Installing NTP Would be Fun....

Post by Marc Bre » Thu, 03 Aug 1995 04:00:00


Paul,

I don't have version 3.4v yet (still on 3.4s) , but the syntax of your
/etc/ntp.conf file seems to be a bit dated.

Instead of the old:

        monitor yes
        pll yes
        stats yes

The modern way to do it is:

        enable monitor pll stats

And the xntpres resolver went the way of the dodo years ago. xntpd does
its own name resolution now.  Check the xntpd(8) man page for details.

Not that any of this impacts your problem...

Only suggestion I have is to comment out the restrict statements.  They
might be blocking the signals.  Add them back in one at a time when it
works again.

Regards,

--

Western Geophysical     Tel: +44 181 560 3160 ext. 4178


: So, I wanted to get a time server up and running to get all our servers in
: sync.  This is turning out to be a very large pain in the ...., and I
: don't know why.  We are running xntpd 3.4v on BSDI 1.1. This computer is
: working currently as a WWW server, so networking is configured correctly.
: The kicker is we are running behind a firewall, but have the correct NTP
: port defined (we think).

: The following is the ntp.conf for our server....  Looing at all the
: README's, and man pages etc, it looks as though it should be correct.

:  
:   www-dev-ring {148} cat /etc/ntp.conf

: #
: ##############################################################################
: #
: #       ntp.conf
: #       for timeserv.aaped.com          created 28 Jul 95
: #                                       by Paul L. Ring
: #                                       CSA - ARCH
: #
: #       ntp.conf - configuration file for ntpd
: #       (expected to operate at stratum 3)
: #
: ##############################################################################

: ##############################################################################
: #
: #       3 external servers entered to provide our campus sync
: #
: ##############################################################################




: ##############################################################################
: #
: #       driftfile location
: #
: ##############################################################################

: driftfile /etc/ntp.drift

: ##############################################################################
: #
: #       To enable the monitoring feature uncomment the following line:
: #
: ##############################################################################

: monitor yes
: pll yes
: stats yes

: ##############################################################################
: #
: #       Specify mode-6 and mode-7 trusted keys
: #               ** Need these for ntpq and xntpres
: #
: ##############################################################################

: requestkey 65535                # for mode-7 requests
: controlkey 65534                # for mode-6 requests

: ##############################################################################
: #
: #       The following 3 entries control access to the NTP server.
: #
: #       1) By default, don't trust and don't allow modifications
: #
: ##############################################################################

: restrict default notrust nomodify

: ##############################################################################
: #
: #       2) Trust the following for time, but not modification
: #
: ##############################################################################

: restrict ntp-2.mcs.anl.gov nomodify
: restrict nss.unet.umn.edu
: restrict ntp-2.cso.uiuc.edu nomodify

: ##############################################################################
: #
: #       3) Allow unrestricted access to the following
: #
: ##############################################################################

: restrict 127.0.0.1                      # local address is unrestricted..
: restrict xxx.x.xx.x                    # local address is unrestricted..

: ##############################################################################
: #
: #       specify host name resolver data
: #
: ##############################################################################

: resolver /usr/sbin/xntpres
: keys /etc/ntp.keys
: requestkey 65535

: *** end of ntp.conf ***

: When running xntpd with debugging level two, it appears that xntpres is
: resolving the external ntp server site names (ntp-2.cso.uiuc.edu,
: nss.unet.umn.edu, and ntp-2.mcs.anl.gov ) to the correct IP addresses,
: however, our ntp server does not appear to be getting anything back from
: the external server sites.  See the packets returning from the requests
: below:

:    sendpkt(128.174.22.4, 0.0.0.0, 48)
:    transmit to 128.174.22.4
:    sendpkt(134.84.84.84, 0.0.0.0, 48)
:    transmit to 134.84.84.84
:    sendpkt(140.221.9.6, 0.0.0.0, 48)
:    transmit to 140.221.9.6
:    input_handler: fd=5 length 48

: Also, using ntpq's peer query I get the following:

: ntpq> peer
:      remote           refid      st t when poll reach   delay   offset    disp
: ==============================================================================
:  glock.gw.uiuc.e 0.0.0.0         16 -    -   64    0     0.00    0.000 16000.0
:  nss.unet.umn.ed 0.0.0.0         16 -    -   64    0     0.00    0.000 16000.0
:  mcs.anl.gov     0.0.0.0         16 -    -   64    0     0.00    0.000 16000.0

: Which seems to further indicate that I am not receiving anything.

: Any suggestions on where to look for common gotcha's (the FAQ didn't seem
: to have anything), or are there other tools that would help??

: --
: //

: //  The Center for Professional Education        | Voice: (708) 444-4591
: //      Arthur Andersen & Co., S.C.              | Fax  : (708) 444-4873
: //      1405 North Fifth Avenue
: //      St Charles Il 60174-1264
: //

--

Western Geophysical     Tel: +44 181 560 3160 ext. 4178

 
 
 

And I Thought Installing NTP Would be Fun....

Post by Paul L. Ri » Thu, 03 Aug 1995 04:00:00



**Paul,
**
**I don't have version 3.4v yet (still on 3.4s) , but the syntax of your
**/etc/ntp.conf file seems to be a bit dated.
**
**Instead of the old:
**
**        monitor yes
**        pll yes
**        stats yes
**
**The modern way to do it is:
**
**        enable monitor pll stats
**
**And the xntpres resolver went the way of the dodo years ago. xntpd does
**its own name resolution now.  Check the xntpd(8) man page for details.
**
**Not that any of this impacts your problem...
**
**Only suggestion I have is to comment out the restrict statements.  They
**might be blocking the signals.  Add them back in one at a time when it
**works again.
**
**Regards,
**
**--

**Western Geophysical     Tel: +44 181 560 3160 ext. 4178
**
**

Marc,

Thanks for the suggestions.  I implemented the changes you suggested and
am having no luck... I know that part of my problem is our gateway for
external comunications.  So in order to prove to myself that the software
was working, I created a local client.  The client connects but gets a
"invalid packet header" error.

My goal is to get it working correctly internally, and then to tackle the
firewall problem.

The following is the servers config file:

*********************

##############################################################################
#
#       ntp.conf
#       for timeserv.aaped.com          created 28 Jul 95
#                                       by Paul L. Ring
#                                       CSA - ARCH
#
#       ntp.conf - configuration file for ntpd
#       (expected to operate at stratum 3)
#
##############################################################################

##############################################################################
#
#       3 external servers entered to provide our campus sync
#
##############################################################################




##############################################################################
#
#       driftfile location
#
##############################################################################

driftfile /etc/ntp.drift

##############################################################################
#
#       To enable the monitoring feature uncomment the following line:
#
##############################################################################

enable monitor pll stats

##############################################################################
#
#       Specify mode-6 and mode-7 trusted keys
#               ** Need these for ntpq and xntpres
#
##############################################################################

#requestkey 65535               # for mode-7 requests
#controlkey 65534               # for mode-6 requests

##############################################################################
#
#       3) Allow unrestricted access to the following
#
##############################################################################

restrict bigbird.aaped.com                     # bigbird.aaped.com

*********************

The client's config file:

*********************
#
#       ntp.conf
#       for timeserv.aaped.com          created 28 Jul 95
#                                       by Paul L. Ring
#                                       CSA - ARCH
#
#       ntp.conf - configuration file for ntpd
#       (expected to operate at stratum 3)
#

#
#       3 external servers entered to provide our campus sync
#

server timex.aaped.com                      #       www-dev aka timex

#
#       driftfile and statistics file locations
#

driftfile /etc/ntp.drift
statsdir  /usr/adm/

statistics  loopstats  clockstats  peerstats
clockstats type day enable

#
#       To enable the monitoring feature uncomment the following line:
#
enable monitor

*********************

The client's dump running xntpd -d -d:

*********************

sendpkt(fd=5 129.9.11.9, 129.9.10.6, ttl=-8, 48)
transmit to 129.9.11.9
input_handler: fd=5 length 48 from 81090b09 129.9.11.9
receive from 129.9.11.9
poll_update(129.9.11.9, 6, 1)
invalid packet header 129.9.11.9 20

**********************

Anything else???

--
//

//  The Center for Professional Education        | Voice: (708) 444-4591
//      Arthur Andersen & Co., S.C.              | Fax  : (708) 444-4873
//      1405 North Fifth Avenue
//      St Charles Il 60174-1264
//

 
 
 

1. 3 PIX VPN questions - FUN FUN FUN

Hope these aren't stupid questions, but here goes, some background
first:
I have a PIX 515 6.3(5) at head office; remote sites are 1720's or
1750's running a flavor of 12.1 (due to memory shortage, cannot
upgrade) connected via site to site VPNs to this PIX.  I have 3
questions that I can't seem to sort out. Please help me if you know the
answers:

1.  Can I use BGP with the 1700s over this VPN to my network of routers
that are on the internal network?  Are there any caveats in this
situation?  My Internal routers are connected via
Frame/Wireless/dedicated lines to a 3640 on the internal network, and
are already successfully running BGP?

2.  How can I route traffic from one remote VPN site to another remote
VPN site.  I have added the appropriate subnets to the crypto ACL on
each router, and added entries to the NAT 0 ACL, but still can't route
between VPN subnets. Any idea what else is needed? The VPN remote sites
can all successfully route to the other internal(non VPN) WAN sites.

3.  Currently I have to bounce these VPN remote site users off an
internal proxy in order to allow them to browse the internet.  This is
a problem for me as squid is not passing the credentials to our
Websense server, preventing me from tracking usage of individuals, as
they all appear to be the same user to Websense.  Is there a PIX rule
where traffic can't go back out the same interface it came in on?  I
seem to remember something like this, but can't find the info again.
Is there a workaround to this situation?  Something I'm missing?

thanks
tical

2. Ports of Call [wanted]

3. For fun, I installed comcast software...

4. Supra 1.8 ROM

5. Am I right to think that a customer firewall is stopping my trace?

6. Tiffs lightening

7. I Think I am Free of Them Now ...

8. How can i develop a Vb application for a PDA ?

9. I think I am in DSL limbo hell.

10. Now I am puzzled, I thought I knew enough

11. no dialtone but modem installed ok (i think)

12. I am getting the BEllsouth DSL self install kit...Now what?

13. Pain-free BellSouth ADSL install this AM