Re: [chrony-users] Many servers became unreachable

[Roel Schroeven <roel@xxxxxxxxxxxxxxxxx>]

Miroslav Lichvar schreef:

On Mon, Jun 01, 2015 at 07:36:37PM +0200, Roel Schroeven wrote:
  

Roel Schroeven schreef op 2015-06-01 17:41:
    

That setup has worked nicely for quote some time, but today suddenly it
failed: chrony can't connect to its upstream servers anymore, and I have no
idea why.
      

Everything works again now. It's a complete mystery to me.
    

It's probably the NAT on your firewall giving you source ports below
123, which older ntpd versions reject as bogus:

https://bugs.ntp.org/show_bug.cgi?id=2174

ntpdate -q works because it uses a random source port. chronyd
in recent versions does that too by default.

Aha, that sounds plausible.

According to tcpdump, initially chrony sends requests from a random port (41820 in this case) and does indeed receive replies; after that it starts using port 123 and receives no more replies. I can't see what the NAT does with that, so I assume you're right.

Thanks for clearing up the mystery!


Best regards,
Roel

-- 
"Life ain't no fairy tale
Just give me another ale
And I'll drink to Rock 'n Roll"
        -- Barkeep (The Scabs)

-- To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject. For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject. Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.