Reset Search



KB44738 - vTM VA as NTP server, w32tm, and timeouts

« Go Back


Last Modified Date3/23/2021 4:26 PM
Problem or Goal
When trying to use PulseSecure Virtual Traffic Manager Virtual Appliance as an NTP server, and testing it with "w32tm" command-line utility, some requests time out.
The root cause of the timeouts is there is a rate limit on ntp requests of 1 request every 8 seconds,  and w32tm sends requests faster than this rate limit, so some are dropped.
Current versions of vTM VA ship with David L. Mills' Network Time Protocol (NTP) Daemon. It is possible to use this software as NTP server. To configure this and increase the rate limit:

1) Login into vTM's web UI, navigate to System > Time > NTP Settings, and make sure three or more reference NTP servers are listed.
2) Login into vTM's CLI/SSH, and edit /etc/ntp.conf like described below:
3) Add a new line saying "discard average 0 minimum 0" (without quotes).
4) Save file and quit editing.
5) Run "service ntp restart".
6) Wait a minute, then run "ntpq -np".
7) In the output above, look for:
- "offset" being small - well below 1000 milliseconds.
- "reach" being non-zero, and increasing over time (until it reaches 377).
- "refid" column is populated with anything other than ".INIT.".
- an asterisk "*" appearing to the left of one of the IPs in "remote" column.
8) repeat steps 6 and 7 above until all four parameters above are to the satisfaction.

Note that the change to /etc/ntp.conf will not be preserved over future upgrades because it's outside of vTM's configuration management system.

Troubleshooting if offset is above 1000 seconds:
1) From web UI > System > Time, click "Sync Time Now"
2) Repeat steps 6 and 7 of the configuration procedure above.

Troubleshooting if "ntpq: read: Connection refused":
1) Run "service ntp status".
2) Look for "panic_stop +123456 s; set clock manually within 1000 s.".
3) If found, do the "above 1000 seconds" procedure above.

Troubleshooting if reach, delay, offset and jitter are all stuck at "0" and refid is stuck at ".INIT."
1) Check firewall allowing outbound udp port 123.
2) Check if correct IPs/hostnames for reference NTP servers are configured.
3) (in case reference NTP servers are configured by name) Check DNS.
Related Links
Attachment 1 
Created ByAndy Chernyak



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255