Ntpd synchronizes but chronyd fails

chronyntpntpdrhel7

I am setting up a time server with chronyd but it fails to sync.

# chronyc sources
210 Number of sources = 5
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^? smtp.visionnet.us             0   10     0   10y     +0ns[   +0ns] +/-    0ns
^? nist1-lnk.binary.net          0   10     0   10y     +0ns[   +0ns] +/-    0ns
^? c-73-98-218-154.hsd1.ut.c     0   10     0   10y     +0ns[   +0ns] +/-    0ns
^? clock.xmission.com            0   10     0   10y     +0ns[   +0ns] +/-    0ns
^? time-c.timefreq.bldrdoc.g     0   10     0   10y     +0ns[   +0ns] +/-    0ns

Hours later, it still can't sync.

However, if I configure ntpd on the same host with the same ntp servers it syncs immediately:

# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
-lithium.constan 18.26.4.105      2 u   50   64    7   74.746   13.677   1.487
*nist1-lnk.binar .ACTS.           1 u   49   64    7   48.827    6.845   4.008
+c-73-98-218-154 .GPS.            1 u   47   64    7   12.792    2.418   1.338
+clock.xmission. .XMIS.           1 u   49   64    7   22.799   12.845   1.272
-time-c.timefreq .NIST.           1 u   49   64    7   59.498   -2.968   1.434

If I watch tcpdump during both attempts I can see that when chrony attempts, it sends a NTPv4 Client packet and I never see a response, but when ntpd does it, I see the NTPv4 Client packet and the NTPv4 Server packet immediately after.

Is there something I'm missing? Does chrony talk on any other port than udp 123? (We do have a datacenter firewall that needed a hole opened to get out, but I can't shake the feeling that there might be something else needed by chronyd)

ENVIRONMENT:

System is RHEL 7.3 patched current one week ago

Here's my chrony.conf

server us.pool.ntp.org iburst
server time.nist.gov iburst
server time.nc7j.com iburst
server time.xmission.com iburst
server time-c.timefreq.bldrdoc.gov iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
noclientlog
logchange 0.5
logdir /var/log/chrony
allow 0.0.0.0/0

and for comparison, my ntp.conf

driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server us.pool.ntp.org iburst
server time.nist.gov iburst
server time.nc7j.com iburst
server time.xmission.com iburst
server time-c.timefreq.bldrdoc.gov iburst
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
logfile /var/log/ntp.log

Best Answer

The difference is that chronyd by default uses a random source port for each client request. If the firewall doesn't allow client requests from other ports than 123, you will need to specify the port by adding acquisitionport 123 to chrony.conf. The directive is documented here.

Related Topic