ntpdate: "no server suitable for synchronization found"

[^rooker]

[PROBLEM]
I've been using "ntpdate" in the past successfully to synchronize GNU/Linux (mostly Debian-based) machines to an internal NTPd timeserver.

This time I got the following error message:

ntpdate[9747]: no server suitable for synchronization found

Although the ntpd was running and listening correctly on the network interfaces.
I've verified that using "nmap":

Code: Select all

$ nmap -v -sU -p 123 time.myinternal-ntpd-timeserver.example

Returned:

PORT STATE SERVICE
123/udp open|filtered ntp

[SOLUTION]
Running "ntpdate" in debug mode revealed the following message:

192.168.xxx.xxx: Server dropped: strata too high

The problem was, that my ntpd timeserver could not connect to external higher-stratum timeservers, due to changes in the firewall now blocking UDP port 123.
This causes the clients to "lose trust" in my internal ntpd-server

Therefore: Make sure your internal ntpd-timeserver can correctly connect and synchronize to external servers!


Links:

• NTP Server dropped: strata too high (Wiki/markelov.org)
• Serverfault: ntpdate server dropped: strata too high

[^rooker]

In case you want to configure a LAN-internal NTPd timeserver that stays trusted, even though it hasn't been able to sync to a low-stratum server for a while, you can probably use "orphan mode" for this.
See: http://support.ntp.org/bin/view/Support/OrphanMode

Add the following line to "/etc/ntp.conf" on clients:

Code: Select all

tos orphan N

Where "N" is the stratum level after which the clients switch to orphan-mode and accept a low-stratum server as clock source.