SSPI does not sync time from provided ntp servers.
Article ID: 403357
Updated On:
Products
VMware vDefend Firewall
VMware vDefend Firewall with Advanced Threat Prevention
Issue/Introduction
The NTP servers provided during SSP Installer deployment get configured, but SSP Installer fails to sync time from the NTP server. This may lead to system time going out of sync on the SSP Installer node.
Symptoms:
Unable to login to SSP UI.
When you login to SSP-Installer UI with admin credentials, Navigate to "Instance Management -> vCenter Parameters" an error stating "interval extended with clock tolerance of 600000 ms: ... . This might be due to a clock skew problem." is seen.
Environment
Security Services Platform 5.0.0
Cause
- The ntp.conf file of NTP adds the provided ntp entries as "
pool", but does not remove "nopeer" config for the ntp entry. The "nopeer" needs to be off for ntp "pools" to work. - To verify if NTP time is not getting synced. Run command "
ntpq -pn" from the root shell of SSP Installer node. If the command does not show at least one ntp server with "*", time is not getting synced.
Resolution
- Remove "
nopeer" from each line of ntp entries configured on SSPI. From root shell of SSPI -
vi /etc/ntp.conf
Change-pool <ntp-server-entry> iburstrestrict <ntp-server-entry> nomodify notrap nopeer noquery
to
pool <ntp-server-entry> iburstrestrict <ntp-server-entry> nomodify notrap noquery
- Similarly for each entry <ntp-server-entry> in
/etc/ntp.conffile in SSPI node.
Restart ntp service after modifying above entries -service ntp restart
- Verify if the time is syncing by running command "
ntpq -pn" from the root shell of SSP Installer. If the command shows at least 1 ntp server entry with a "*", time is getting synced.
Note : This Issue is fixed in SSP 5.1
Feedback
Yes
No
Powered by
