[vox-tech] I'm also having ntp problems :-(

Ryan vox-tech@lists.lugod.org
Wed, 24 Apr 2002 23:21:56 -0700 

On Wednesday 24 April 2002 11:11 pm, msimons@moria.simons-clan.com wrote:
> On Wed, Apr 24, 2002 at 11:04:01PM -0700, Ryan wrote:
> > The following seems to be happening...
> >
> > connections to a udp server on nat work fine both ways.
> >
> > connections to a udp server on bob only work for sending data to bob.
> >
> > in tcpdump, I see nat telling bob that the udp port is unreachable, y=
et
> > bob has no firewall.
> >
> > Very odd.....
>
>   Can you paste a 10 line tcpdump log showing this event?

23:18:56.151057 bob.ntp > nat.ntp:  [udp sum ok] v4 client strat 0 poll 4=
 prec -6 dist 1.000000 disp 1.000000 ref (unspec)@0.000000000 orig 0.0000=
00000 rec -0.000000000 xmt -1066262965.417984008 (DF) (ttl 64, id 0, len =
76)
23:18:56.151341 nat > bob: icmp: nat udp port ntp unreachable for bob.ntp=
 > nat.ntp:  v4 client strat 0 poll 4 prec -6 dist 1.000000 disp 1.000000=
 ref (unspec)@0.000000000 [|ntp] (DF) (ttl 64, id 0, len 76) [tos 0xc0]  =
(ttl 255, id 20476, len 104)
[repeated 3 times]

> A little background,
>   nat is (the nat/firewall/ntp machine)
>   bob is (the client)
> if not correct please explain.


Yes, correct.

nat's main job is to do NAT and firewall stuff.

> > On Wednesday 24 April 2002 10:51 pm, msimons@moria.simons-clan.com wr=
ote:
> > > On Wed, Apr 24, 2002 at 10:26:13PM -0700, Ryan wrote:
> > > > On Wednesday 24 April 2002 10:04 pm, msimons@moria.simons-clan.co=
m wrote:
> > > > >   Something is preventing port 123 UDP packets from going betwe=
en
> > > > > bob and nat, you can see packets be transmitted and no reply.  =
It
> > > > > could also be that your ntpd is configured to not accept
> > > > > connections from bob.
> > > >
> > > > This can now be blamed on firewall rules.
> > >
> > > Something doesn't look right about this...
> > >
> > >   Both ntdq and ntpdate create the same type of UDP based socket,
> > > running from the same machine one of them gets replies the other
> > > does not (the packets are different sizes).  It is true that some
> > > length based firewall checks could be blocking the replies... but
> > > it's important to figure out what is broken before changing things
> > > and I still don't have enough information.  It could be either ntpd
> > > or the firewall, since it could as likely be server configuration
> > > (like only accepting certain client revisions).
> > >
> > >   If it still doesn't work after you have fun looking through your
> > > firewall rules install strace on the firewall and run the trace
> > > requested below.  If you can't use "apt-get install strace" then
> > > remember it is simply one big executable, scp it to the firewall
> > > from a similar machine and just run the binary from /tmp then
> > > nuke it.
> >
> > _______________________________________________
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
>
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech