NTS not 'working', likely operator error
James Browning
jamesb192 at jamesb192.com
Tue Apr 9 01:51:05 UTC 2024
> On 04/08/2024 4:53 PM PDT ntpsec--- via users <users at ntpsec.org> wrote:
>
> Longtime ntpsec user, run my own raspi timeserver, works just dandy.
>
> Except somewhere along the path I apparently strayed, and I'm flummoxed. My ntp.log shows no errors related to NTS service. Everything functions seemingly fine - except that the NTS servers show no traffic from my peers. Cookies arrive, and gradually fade away. 'Reach' is always zero in ntpq. I've tested my firewall from outside, port 4460 TCP is open, and a telnet connects. My certificates are fine, and NTS receives the peer certs fine.
>
> For a time I thought it was my 'restrict' lines, but NTP peering is perfectly normal. If other eyes can see where the failure is, it would be greatly appreciated, I've spent much of the day futzing with this to no avail.
>
> NTS adoption doesn't seem to be really taking hold, but I'd still like to offer it. Diagnostics below.
I suspect for no valid reason at all that someone has placed a
packet filter near your machine; I also suspect it has been set
to some ridiculous criteria like 'drop all UDP port 123 packets
longer than 48-bytes.'
A tool like tcpdump should give you an idea of what NTP traffic
is actually on the wire versus what either end responds to. Not
sorry about being useless, you might want to wait for someone
else, or not the lag can be pretty bad.
More information about the users
mailing list