freebsd ntp cant connect to time server

August 3, 2015 2.5k views
Networking IPv6 FreeBSD

I think the problem is ipv6 related.

Aug 3 23:42:26 theranch ntpd[720]: ntpd 4.2.4p5-a (1)
Aug 3 23:42:26 theranch ntpd[721]: bind() fd 22, family AFINET6, port 123, scope 1, addr fe80::601:50ff:fe62:dd01, mcast=0 flags=0x11 fails: Can't assign requested address
Aug 3 23:42:26 theranch ntpd[721]: unable to create socket on vtnet0 (2) for fe80::601:50ff:fe62:dd01#123
Aug 3 23:42:27 theranch kernel: pid 747 (sshguard), uid 0: exited on signal 10 (core dumped)
Aug 3 23:42:27 theranch ntpd[721]: bind() fd 27, family AF
INET6, port 123, scope 1, addr fe80::601:50ff:fe62:dd01, mcast=0 flags=0x11 fails: Can't assign requested address
Aug 3 23:42:27 theranch ntpd[721]: unable to create socket on vtnet0 (7) for fe80::601:50ff:fe62:dd01#123

2 comments
  • NTP is working fine on my FreeBSD droplet.

    Could you post your /etc/ntp.conf?
    What is the output of ntpq -p?
    Do you have a firewall running?

  • Well this is weird. My reply didn't show up. Here we go again.

    It looks like I am connected. The UK server doesn't make much sense for San Francisco use, but that is something to change later.

    ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
    

    ==============================================================================
    +ntp1.adacor.com 130.133.1.10 2 u 826 1024 377 168.683 -3.409 6.231
    +log1.nierle.com 235.106.237.243 3 u 558 1024 377 160.756 1.594 1.845
    *ns0.luns.net.uk 33.117.170.50 2 u 556 1024 377 142.496 1.270 0.168

    I added the "-4", but otherwise stock.

    cat ntp.conf $FreeBSD: releng/10.1/etc/ntp.conf 259974 2013-12-27 23:09:40Z delphij $ Default NTP servers for the FreeBSD operating system. Don't forget to enable ntpd in /etc/rc.conf with: ntpd_enable="YES" The driftfile is by default /var/db/ntpd.drift, check /etc/defaults/rc.conf on how to change the location. The following three servers will give you a random set of three NTP servers geographically close to you. See http://www.pool.ntp.org/ for details. Note, the pool encourages users with a static IP and good upstream NTP servers to add a server to the pool. See http://www.pool.ntp.org/join.html if you are interested. The option `iburst' is used for faster initial synchronization.

    server -4 0.freebsd.pool.ntp.org iburst
    server -4 1.freebsd.pool.ntp.org iburst
    server -4 2.freebsd.pool.ntp.org iburst

    server -4 3.freebsd.pool.ntp.org iburst If you want to pick yourself which country's public NTP server you want sync against, comment out the above servers, uncomment the next ones and replace CC with the country's abbreviation. Make sure that the hostnames resolve to a proper IP address! server 0.CC.pool.ntp.org iburst server 1.CC.pool.ntp.org iburst server 2.CC.pool.ntp.org iburst Security: By default, only allow time queries and block all other requests from unauthenticated clients. See http://support.ntp.org/bin/view/Support/AccessRestrictions for more information.

    restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery

    Alternatively, the following rules would block all unauthorized access. restrict default ignore restrict -6 default ignore In this case, all remote NTP time servers also need to be explicitly allowed or they would not be able to exchange time information with this server. Please note that this example doesn't work for the servers in the pool.ntp.org domain since they return multiple A records. restrict 0.pool.ntp.org nomodify nopeer noquery notrap restrict 1.pool.ntp.org nomodify nopeer noquery notrap restrict 2.pool.ntp.org nomodify nopeer noquery notrap The following settings allow unrestricted access from the localhost

    restrict 127.0.0.1
    restrict -6 ::1
    restrict 127.127.1.0

    If a server loses sync with all upstream servers, NTP clients no longer follow that server. The local clock can be configured to provide a time source when this happens, but it should usually be configured on just one server on a network. For more details see http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock The use of Orphan Mode may be preferable. server 127.127.1.0 fudge 127.127.1.0 stratum 10

    ======================

    FIrewall is ipfw.

    ipfw list

    00100 allow ip from any to any via lo0
    00200 deny ip from any to 127.0.0.0/8
    00300 deny ip from 127.0.0.0/8 to any
    00400 deny ip from any to ::1
    00500 deny ip from ::1 to any
    00600 allow ipv6-icmp from :: to ff02::/16
    00700 allow ipv6-icmp from fe80::/10 to fe80::/10
    00800 allow ipv6-icmp from fe80::/10 to ff02::/16
    00900 allow ipv6-icmp from any to any ip6 icmp6types 1
    01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
    01100 check-state
    01200 allow tcp from me to any established
    01300 allow tcp from me to any setup keep-state
    01400 allow udp from me to any keep-state
    01500 allow icmp from me to any keep-state
    01600 allow ipv6-icmp from me to any keep-state
    01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
    01800 allow udp from any 67 to me dst-port 68 in
    01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
    02000 allow udp from fe80::/10 to me dst-port 546 in
    02100 allow icmp from any to any icmptypes 8
    02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
    02300 allow icmp from any to any icmptypes 3,4,11
    02400 allow ipv6-icmp from any to any ip6 icmp6types 3
    02500 allow tcp from any to me dst-port 22
    02600 allow tcp from any to me dst-port 443
    02700 allow tcp from any to me dst-port 80
    02800 allow tcp from any to me dst-port 500
    02900 allow tcp from any to me dst-port 4500
    65000 count ip from any to any
    65100 allow log udp from any to any dst-port 500 keep-state
    65200 allow log udp from any 500 to any keep-state
    65300 allow log udp from any to any dst-port 4500 keep-state
    65400 allow log udp from any 4500 to any keep-state
    65500 deny { tcp or udp } from any to any dst-port 135-139,445 in
    65500 deny { tcp or udp } from any to any dst-port 1026,1027 in
    65500 deny { tcp or udp } from any to any dst-port 1433,1434 in
    65500 deny ip from any to 255.255.255.255
    65500 deny ip from any to 224.0.0.0/24 in
    65500 deny udp from any to any dst-port 520 in
    65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
    65500 deny log logamount 500 ip from any to any
    65535 deny ip from any to any

3 Answers

Just bumping my question. The delay due to the spam filter kind of killed the thread. The error messages are still showing up on the "console" and freebsd /var/messages:

Aug 8 22:21:42 theranch ntpd[732]: bind() fd 27, family AF_INET6, port 123, scope 1, addr fe80::601:50ff:fe62:dd01, mcast=0 flags=0x11 fails: Can't assign requested address
Aug 8 22:21:42 theranch ntpd[732]: unable to create socket on vtnet0 (597) for fe80::601:50ff:fe62:dd01#123

I switched to openntpd. I couldn't shake the ipv6 issues with ntpd. Openntpd works fine out of the box.
openntpd tutorial

Just a FYI. I went to openntp and that works.

Have another answer? Share your knowledge.