How to configure NTP on the Linux Appliance:
On the NetSight Linux Appliance:
- SSH into the NetSight Server
- Run the command:
- Configure NTP settings as desireable
On the NAC Linux Appliances
- SSH into the NAC appliance
- Run the command:
NOTE: The nacconfig script will stop services to reconfigure network settings and apply NTP configurations. There will be a brief downtime when this script completes.
- Run through the nacconfig script until the NTP settings are prompted. Configured as desired.
- Once the script completes NAC services will be restarted, there will be a brief outage of services during this time.
Viewing and troubleshooting NTP once configured:
To view current ntp status run the following command:
This will display output that will look similar to the following:
root@TESTNAC2:~$ ntpq -np
remote refid st t when poll reach delay offset jitter
*10.58.210.4 LOCAL(0) 11 u 17 64 37 1.332 0.107 24.921
- The asterisk indicates the preferred update node.
- Remote: Is the address of the time server
- Refid: Indicates the type of time server .LOCAL. means the local clock, .DCFa. is a DCF77 receiver, .PPS. is a hardware device generating a pulse every second.
- st: Stradtum indicates the accuracy to be expected.
- t: Type of time server, "u" is for "unicast" and "l" for local
- when: How much time has elapsed since the last attempted poll
- poll: How often the poll is attempted. When the "when" counter reaches the value in the "poll" field NTP will attempt another poll.
- reach: The column reach shows if a reference time source could be reached at the last polling intervals, i.e. data could be read from the reference time source, and the reference time source was synchronized. The value must be interpreted as an 8 bit shift register whose contents is displayed as octal values. If the NTP daemon has just started, the value is 0. Each time a query was successful a '1' is shifted in from the right, so after the daemon has been started the sequence of reach numbers 0, 1, 3, 7, 17, 37, 77, 177, 377. The maximum value 377 means that the eight last queries were completed successfully. The NTP daemon must have reached a reference time source several times (reach not 0) before it selects a preferred time source and puts an asterisk in the first column.
- delay: Value from the round trip time of the queries
- offset: value shows the difference between the reference time and the system clock
- jitter: indicates the magnitude of jitter between several time queries
If the reach column does not read a value of 377 it indicates that there have been unsuccessful polls that have been recorded. This is an indication that there is a problem contacting the time server. If you are seeing problems contacting the time server take a trace on the appliance to determine if there is a response from the time server, or if the time server is responding incorrectly. Why is their time variance on poll intervals, and how can I address this?
From the man page
|By default, ntpd runs in continuous mode where each of possibly several external servers is polled at|
intervals determined by an intricate state machine. The state machine measures the incidental
roundtrip delay jitter and oscillator frequency wander and determines the best poll interval using a
heuristic algorithm. Ordinarily, and in most operating environments, the state machine will start
with 64s intervals and eventually increase in steps to 1024s. A small amount of random variation is
introduced in order to avoid bunching at the servers. In addition, should a server become unreachable
for some time, the poll interval is increased in steps to 1024s in order to reduce network overhead.
The recommended method to change this is to reduce the minpool and maxpool timers on the ntp.conf file to compensate for networks that have challenges with keeping time servers available.
to reduce to minimum values of ntp polling, edit the /etc/ntp.conf
file to addminpool 3
These options specify the minimum and maximum poll intervals for NTP messages, in seconds as a power of two. The maximum poll interval defaults to 10 (1,024 s), but can be increased by the maxpoll option to an upper limit of 17 (36.4 h). The minimum poll interval defaults to 6 (64 s), but can be decreased by the minpoll option to a lower limit of 3 (8 s). These option are valid only with the server and peer commands.