Symantec Privileged Access Management

Hi,

Both nodes of pam server can't sync with NTP server (internal) or pool.ntp.org (0.south-america.pool.ntp.org,etc.. in my case).

i can reach both server NTP and pool.ntp using ping from CA PAM, but can't sync the ntp configuration. it always shows REJECT status. the firewall is not blocking communication.

------------------------------
IT Specialist
Perú
------------------------------

Luis,

Ping uses port 7, but NTP uses port 123 so just because you can ping doesnt mean NTP is open.
Can you verify UDP port 123 is open? (PAM only can check TCP ports so you need to use a server in same subnet to check)

Bob Walker
Original Message:
Sent: 07-02-2020 01:29 PM
From: Luis Alberto Huallpa Torre
Subject: CA PAM (both nodes) can't sync with NTP server and Pool.ntp.org

Hi,

Both nodes of pam server can't sync with NTP server (internal) or pool.ntp.org (0.south-america.pool.ntp.org,etc.. in my case).

i can reach both server NTP and pool.ntp using ping from CA PAM, but can't sync the ntp configuration. it always shows REJECT status. the firewall is not blocking communication.

Regards.

------------------------------
IT Specialist
Perú
------------------------------

Hi Bob,

I tested the udp port using nmap, and the port 123 of pam is open like so NTP port 123.
There is no restriction or firewall between pam and NTP server.



------------------------------
IT Specialist
Perú
------------------------------

Original Message:
Sent: 07-03-2020 07:47 AM
From: Robert Walker
Subject: CA PAM (both nodes) can't sync with NTP server and Pool.ntp.org

Luis,

Ping uses port 7, but NTP uses port 123 so just because you can ping doesnt mean NTP is open.
Can you verify UDP port 123 is open? (PAM only can check TCP ports so you need to use a server in same subnet to check)

Bob Walker
Original Message:
Sent: 07-02-2020 01:29 PM
From: Luis Alberto Huallpa Torre
Subject: CA PAM (both nodes) can't sync with NTP server and Pool.ntp.org

Hi,

Both nodes of pam server can't sync with NTP server (internal) or pool.ntp.org (0.south-america.pool.ntp.org,etc.. in my case).

i can reach both server NTP and pool.ntp using ping from CA PAM, but can't sync the ntp configuration. it always shows REJECT status. the firewall is not blocking communication.

Regards.

------------------------------
IT Specialist
Perú
------------------------------

Luis
If you have not yet resolved .... There are several different reasons for a reject status from the ntpd itself . The time server may have too many hops to go through for NTP to rely on. In some cases DNS issues may slow something down enough to make the connection seem unreliable. One simple thing you can try is setting an IP for the same servers to see if that helps or updating a local DNS server with the resolution. Otherwise there are many posts online showing the commands like ntpq -p to isolate the specific cause.
Joe
Original Message:
Sent: 07-03-2020 09:25 AM
From: Luis Alberto Huallpa Torre
Subject: CA PAM (both nodes) can't sync with NTP server and Pool.ntp.org

Hi Bob,

I tested the udp port using nmap, and the port 123 of pam is open like so NTP port 123.
There is no restriction or firewall between pam and NTP server.

------------------------------
IT Specialist
Perú

Original Message:
Sent: 07-03-2020 07:47 AM
From: Robert Walker
Subject: CA PAM (both nodes) can't sync with NTP server and Pool.ntp.org

Luis,

Ping uses port 7, but NTP uses port 123 so just because you can ping doesnt mean NTP is open.
Can you verify UDP port 123 is open? (PAM only can check TCP ports so you need to use a server in same subnet to check)

Bob Walker
Original Message:
Sent: 07-02-2020 01:29 PM
From: Luis Alberto Huallpa Torre
Subject: CA PAM (both nodes) can't sync with NTP server and Pool.ntp.org

Hi,

Both nodes of pam server can't sync with NTP server (internal) or pool.ntp.org (0.south-america.pool.ntp.org,etc.. in my case).

i can reach both server NTP and pool.ntp using ping from CA PAM, but can't sync the ntp configuration. it always shows REJECT status. the firewall is not blocking communication.

Regards.

------------------------------
IT Specialist
Perú
------------------------------