AP122 does not sync time via NTP

  • 1
  • Question
  • Updated 8 months ago
Hello,
we set up an AP122 device, everything is working fine so far except time sync.

as a time source we specified our internal NTP server (a windows DC). in wireshark on the DC we see the NTP packets coming and and replies going back out in rapid succession (roughly a packet each second)




we tried disabling and reenabling NTP via CLI, but the AP keeps sending NTP packets to the server and ignoring the response. time does not update on the device


all other systems (esx, linux, switch, windows clients, firewall...) sync their time correctly which we have verified in great detail today. so the NTP server should be ok, the ip communication should be ok.

what could be wrong?
Photo of Robert Rostek

Robert Rostek

  • 4 Posts
  • 0 Reply Likes
  • unsure

Posted 8 months ago

  • 1
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
I'm not sure where you packet trace is located in the path. I see "PaloAlto" in the packet trace. Are you performing NAT properly and permitting ntp packets through what I am assuming is a firewall? Try placing the trace as close as you can to the AP and see if the packets are returning. 
Photo of Robert Rostek

Robert Rostek

  • 4 Posts
  • 0 Reply Likes
hy, thank you for your reply.

the AP is in vlan 3 (10.10.3.x), the NTP server in vlan 5 (10.10.5.x).
both are routed through the palo alto with a default virtual router.
no NAT is done between the 2 vlans.
there is an ANY-ANY rule for testing.
the wireshark trace is done on the NTP server.

another device in vlan 3 (e.g. esxi server) is performing NTP sync correctly.

for testing purposes, i moved the AP to same vlan as NTP server (id 5, 10.10.5.x). now wireshark sees five packets coming and going from/to AP, and the AP sets its time correctly after the 5th packet


so it's because of the palo. any hint what could be wrong? i am not aware of any special config, filtering, or similar, between the two systems. and like i said, all other devices have no issue with this constellation.
Photo of Robert Rostek

Robert Rostek

  • 4 Posts
  • 0 Reply Likes
i noticed there is one difference between NTP packets related to the AP, and other systems

most if not all send their packets from port 123, to NTP server port 123,and the ntp server replies back to port 123



the aerohive however sends from a random port, and so the ntp server responds back to this random port (in this case 51929)


could this be related to my issue?
Photo of Robert Rostek

Robert Rostek

  • 4 Posts
  • 0 Reply Likes
aaaand that was it. thanks for hinting me in the correct direction. palo seemed to dislike the non-port 123 udp package and discarded it, because i used "application-default" in the service filter, which defaults to port 123. modifying it to "any" while still keeping "NTP" as application solved it.case closed ;)

edit: out of curiosity - is there a setting to tell aerohive which source udp port to use when sending NTP packets?
(Edited)