Re: [vox-tech] I'm also having ntp problems :-(

2002-04-26 Thread Ryan 

On Thursday 25 April 2002 10:52 pm, [EMAIL PROTECTED] wrote:
> On Thu, Apr 25, 2002 at 06:36:47PM -0700, Ryan wrote:
> > in playing with things some more, I can't get nat to connect to ANY
> > services on bob...
>
>   Cool, based on that last trace one or two things is happening:
> - You have no process listing to UDP port 123 on nat
> - Your firewall rules on nat are rejecting UDP traffic to port 123.
>
>   The strace of ntpd would finalize the problem, but it looks like
> you have a firewall rule filtering out the traffic.  ;)

No, really, I run 'nc -lp 1234' on bob, then 'nc bob 1234' on nat and it 
times out.

I also can't ssh from nat to bob (or fnord, my other box)
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-25 Thread msimons 

On Thu, Apr 25, 2002 at 06:36:47PM -0700, Ryan wrote:
> in playing with things some more, I can't get nat to connect to ANY
> services on bob...

  Cool, based on that last trace one or two things is happening:
- You have no process listing to UDP port 123 on nat
- Your firewall rules on nat are rejecting UDP traffic to port 123.

  The strace of ntpd would finalize the problem, but it looks like
you have a firewall rule filtering out the traffic.  ;)
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-25 Thread Ryan 

On Wednesday 24 April 2002 11:31 pm, [EMAIL PROTECTED] wrote:
> my bad, I kinda expect a verbose tcpdump...
>   tcpdump -tteni eth0
> -tt switches to a better time format,
> -e shows ethernet mac address info
> -n doesn't do name/server lookups so it's harder to hide errors.
> -i eth0 : you know this
>
>   I would like a trace of the same even from both hosts bob and nat...
> since tcpdump's view of events is sometimes faked out by firewall
> rules on the machine running the dump (things it sees don't really
> happen on the wire).

[root@bob root]# tcpdump -ttne
tcpdump: listening on eth0
1019784403.866888 0:c0:f0:70:5:3d 0:40:5:74:4e:46 0800 90: 192.168.0.10.123 > 
192.168.0.1.123:  v4 client strat 0 poll 4 prec -6 (DF)
1019784403.867759 0:40:5:74:4e:46 0:c0:f0:70:5:3d 0800 118: 192.168.0.1 > 
192.168.0.10: icmp: 192.168.0.1 udp port 123 unreachable [tos 0xc0]
1019784404.866821 0:c0:f0:70:5:3d 0:40:5:74:4e:46 0800 90: 192.168.0.10.123 > 
192.168.0.1.123:  v4 client strat 0 poll 4 prec -6 (DF)
1019784404.867643 0:40:5:74:4e:46 0:c0:f0:70:5:3d 0800 118: 192.168.0.1 > 
192.168.0.10: icmp: 192.168.0.1 udp port 123 unreachable [tos 0xc0]
1019784405.866835 0:c0:f0:70:5:3d 0:40:5:74:4e:46 0800 90: 192.168.0.10.123 > 
192.168.0.1.123:  v4 client strat 0 poll 4 prec -6 (DF)
1019784405.867660 0:40:5:74:4e:46 0:c0:f0:70:5:3d 0800 118: 192.168.0.1 > 
192.168.0.10: icmp: 192.168.0.1 udp port 123 unreachable [tos 0xc0]
1019784406.866822 0:c0:f0:70:5:3d 0:40:5:74:4e:46 0800 90: 192.168.0.10.123 > 
192.168.0.1.123:  v4 client strat 0 poll 4 prec -6 (DF)
1019784406.867643 0:40:5:74:4e:46 0:c0:f0:70:5:3d 0800 118: 192.168.0.1 > 
192.168.0.10: icmp: 192.168.0.1 udp port 123 unreachable [tos 0xc0]

[root@nat root]# tcpdump -ttne
tcpdump: listening on eth0
1019784406.612164 0:c0:f0:70:5:3d 0:40:5:74:4e:46 0800 90: 192.168.0.10.123 > 
192.168.0.1.123:  v4 client strat 0 poll 4 prec -6 (DF)
1019784406.612481 0:40:5:74:4e:46 0:c0:f0:70:5:3d 0800 118: 192.168.0.1 > 
192.168.0.10: icmp: 192.168.0.1 udp port 123 unreachable [tos 0xc0]
1019784407.611976 0:c0:f0:70:5:3d 0:40:5:74:4e:46 0800 90: 192.168.0.10.123 > 
192.168.0.1.123:  v4 client strat 0 poll 4 prec -6 (DF)
1019784407.612251 0:40:5:74:4e:46 0:c0:f0:70:5:3d 0800 118: 192.168.0.1 > 
192.168.0.10: icmp: 192.168.0.1 udp port 123 unreachable [tos 0xc0]
1019784408.611880 0:c0:f0:70:5:3d 0:40:5:74:4e:46 0800 90: 192.168.0.10.123 > 
192.168.0.1.123:  v4 client strat 0 poll 4 prec -6 (DF)
1019784408.612151 0:40:5:74:4e:46 0:c0:f0:70:5:3d 0800 118: 192.168.0.1 > 
192.168.0.10: icmp: 192.168.0.1 udp port 123 unreachable [tos 0xc0]
1019784409.611749 0:c0:f0:70:5:3d 0:40:5:74:4e:46 0800 90: 192.168.0.10.123 > 
192.168.0.1.123:  v4 client strat 0 poll 4 prec -6 (DF)
1019784409.612021 0:40:5:74:4e:46 0:c0:f0:70:5:3d 0800 118: 192.168.0.1 > 
192.168.0.10: icmp: 192.168.0.1 udp port 123 unreachable [tos 0xc0]

in playing with things some more, I can't get nat to connect to ANY services on 
bob...
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-25 Thread msimons 

  Well, after something like 16 months at the same IP, the ISP has 
decided to issue a new address to moria so DNS information is
broken, and I'm not going to receive any email until it is fixed...
worse yet if someone acquires the previous address email to me
may begin to bounce.

  If anyone wondered why I started participating in vox-tech 
email it was because just a few days ago the DNS records were
fixed, they had been broken for about 16 months which delayed
mail to moria by over 24 hours most of the time.

  Sigh,
Mike

...back to playing with debmirror.

On Thu, Apr 25, 2002 at 02:31:49AM -0400, [EMAIL PROTECTED] wrote:
> On Wed, Apr 24, 2002 at 11:21:56PM -0700, Ryan wrote:
> > On Wednesday 24 April 2002 11:11 pm, [EMAIL PROTECTED] wrote:
> > > On Wed, Apr 24, 2002 at 11:04:01PM -0700, Ryan wrote:
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread msimons 

On Wed, Apr 24, 2002 at 11:21:56PM -0700, Ryan wrote:
> On Wednesday 24 April 2002 11:11 pm, [EMAIL PROTECTED] wrote:
> > On Wed, Apr 24, 2002 at 11:04:01PM -0700, Ryan wrote:
> > > The following seems to be happening...
> > >
> > > connections to a udp server on nat work fine both ways.
> > >
> > > connections to a udp server on bob only work for sending data to bob.
> > >
> > > in tcpdump, I see nat telling bob that the udp port is unreachable, yet
> > > bob has no firewall.
> > >
> > > Very odd.
> >
> >   Can you paste a 10 line tcpdump log showing this event?

my bad, I kinda expect a verbose tcpdump...
  tcpdump -tteni eth0
-tt switches to a better time format,
-e shows ethernet mac address info
-n doesn't do name/server lookups so it's harder to hide errors.
-i eth0 : you know this

  I would like a trace of the same even from both hosts bob and nat...
since tcpdump's view of events is sometimes faked out by firewall
rules on the machine running the dump (things it sees don't really 
happen on the wire).

> 23:18:56.151057 bob.ntp > nat.ntp:  [udp sum ok] v4 client strat 0 poll 4 prec -6 
>dist 1.00 disp 1.00 ref (unspec)@0.0 orig 0.0 rec 
>-0.0 xmt -1066262965.417984008 (DF) (ttl 64, id 0, len 76)
> 23:18:56.151341 nat > bob: icmp: nat udp port ntp unreachable for bob.ntp > nat.ntp: 
> v4 client strat 0 poll 4 prec -6 dist 1.00 disp 1.00 ref 
>(unspec)@0.0 [|ntp] (DF) (ttl 64, id 0, len 76) [tos 0xc0]  (ttl 255, id 
>20476, len 104)
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread Ryan 

On Wednesday 24 April 2002 11:11 pm, [EMAIL PROTECTED] wrote:
> On Wed, Apr 24, 2002 at 11:04:01PM -0700, Ryan wrote:
> > The following seems to be happening...
> >
> > connections to a udp server on nat work fine both ways.
> >
> > connections to a udp server on bob only work for sending data to bob.
> >
> > in tcpdump, I see nat telling bob that the udp port is unreachable, yet
> > bob has no firewall.
> >
> > Very odd.
>
>   Can you paste a 10 line tcpdump log showing this event?

23:18:56.151057 bob.ntp > nat.ntp:  [udp sum ok] v4 client strat 0 poll 4 prec -6 dist 
1.00 disp 1.00 ref (unspec)@0.0 orig 0.0 rec -0.0 xmt 
-1066262965.417984008 (DF) (ttl 64, id 0, len 76)
23:18:56.151341 nat > bob: icmp: nat udp port ntp unreachable for bob.ntp > nat.ntp:  
v4 client strat 0 poll 4 prec -6 dist 1.00 disp 1.00 ref (unspec)@0.0 
[|ntp] (DF) (ttl 64, id 0, len 76) [tos 0xc0]  (ttl 255, id 20476, len 104)
[repeated 3 times]

> A little background,
>   nat is (the nat/firewall/ntp machine)
>   bob is (the client)
> if not correct please explain.


Yes, correct.

nat's main job is to do NAT and firewall stuff.

> > On Wednesday 24 April 2002 10:51 pm, [EMAIL PROTECTED] wrote:
> > > On Wed, Apr 24, 2002 at 10:26:13PM -0700, Ryan wrote:
> > > > On Wednesday 24 April 2002 10:04 pm, [EMAIL PROTECTED] wrote:
> > > > >   Something is preventing port 123 UDP packets from going between
> > > > > bob and nat, you can see packets be transmitted and no reply.  It
> > > > > could also be that your ntpd is configured to not accept
> > > > > connections from bob.
> > > >
> > > > This can now be blamed on firewall rules.
> > >
> > > Something doesn't look right about this...
> > >
> > >   Both ntdq and ntpdate create the same type of UDP based socket,
> > > running from the same machine one of them gets replies the other
> > > does not (the packets are different sizes).  It is true that some
> > > length based firewall checks could be blocking the replies... but
> > > it's important to figure out what is broken before changing things
> > > and I still don't have enough information.  It could be either ntpd
> > > or the firewall, since it could as likely be server configuration
> > > (like only accepting certain client revisions).
> > >
> > >   If it still doesn't work after you have fun looking through your
> > > firewall rules install strace on the firewall and run the trace
> > > requested below.  If you can't use "apt-get install strace" then
> > > remember it is simply one big executable, scp it to the firewall
> > > from a similar machine and just run the binary from /tmp then
> > > nuke it.
> >
> > ___
> > vox-tech mailing list
> > [EMAIL PROTECTED]
> > http://lists.lugod.org/mailman/listinfo/vox-tech
>
> ___
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread msimons 

On Wed, Apr 24, 2002 at 11:04:01PM -0700, Ryan wrote:
> The following seems to be happening...
> 
> connections to a udp server on nat work fine both ways.
> 
> connections to a udp server on bob only work for sending data to bob.
> 
> in tcpdump, I see nat telling bob that the udp port is unreachable, yet bob 
> has no firewall.
> 
> Very odd.

  Can you paste a 10 line tcpdump log showing this event?

A little background, 
  nat is (the nat/firewall/ntp machine)
  bob is (the client)
if not correct please explain.

> On Wednesday 24 April 2002 10:51 pm, [EMAIL PROTECTED] wrote:
> > On Wed, Apr 24, 2002 at 10:26:13PM -0700, Ryan wrote:
> > > On Wednesday 24 April 2002 10:04 pm, [EMAIL PROTECTED] wrote:
> > > >   Something is preventing port 123 UDP packets from going between
> > > > bob and nat, you can see packets be transmitted and no reply.  It
> > > > could also be that your ntpd is configured to not accept connections
> > > > from bob.
> > >
> > > This can now be blamed on firewall rules.
> >
> > Something doesn't look right about this...
> >
> >   Both ntdq and ntpdate create the same type of UDP based socket,
> > running from the same machine one of them gets replies the other
> > does not (the packets are different sizes).  It is true that some
> > length based firewall checks could be blocking the replies... but
> > it's important to figure out what is broken before changing things
> > and I still don't have enough information.  It could be either ntpd
> > or the firewall, since it could as likely be server configuration
> > (like only accepting certain client revisions).
> >
> >   If it still doesn't work after you have fun looking through your
> > firewall rules install strace on the firewall and run the trace
> > requested below.  If you can't use "apt-get install strace" then
> > remember it is simply one big executable, scp it to the firewall
> > from a similar machine and just run the binary from /tmp then
> > nuke it.
> ___
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread Ryan 

The following seems to be happening...

connections to a udp server on nat work fine both ways.

connections to a udp server on bob only work for sending data to bob.

in tcpdump, I see nat telling bob that the udp port is unreachable, yet bob 
has no firewall.

Very odd.

On Wednesday 24 April 2002 10:51 pm, [EMAIL PROTECTED] wrote:
> On Wed, Apr 24, 2002 at 10:26:13PM -0700, Ryan wrote:
> > On Wednesday 24 April 2002 10:04 pm, [EMAIL PROTECTED] wrote:
> > >   Something is preventing port 123 UDP packets from going between
> > > bob and nat, you can see packets be transmitted and no reply.  It
> > > could also be that your ntpd is configured to not accept connections
> > > from bob.
> >
> > This can now be blamed on firewall rules.
>
> Something doesn't look right about this...
>
>   Both ntdq and ntpdate create the same type of UDP based socket,
> running from the same machine one of them gets replies the other
> does not (the packets are different sizes).  It is true that some
> length based firewall checks could be blocking the replies... but
> it's important to figure out what is broken before changing things
> and I still don't have enough information.  It could be either ntpd
> or the firewall, since it could as likely be server configuration
> (like only accepting certain client revisions).
>
>   If it still doesn't work after you have fun looking through your
> firewall rules install strace on the firewall and run the trace
> requested below.  If you can't use "apt-get install strace" then
> remember it is simply one big executable, scp it to the firewall
> from a similar machine and just run the binary from /tmp then
> nuke it.
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread msimons 

On Wed, Apr 24, 2002 at 10:26:13PM -0700, Ryan wrote:
> On Wednesday 24 April 2002 10:04 pm, [EMAIL PROTECTED] wrote:
> >   Something is preventing port 123 UDP packets from going between
> > bob and nat, you can see packets be transmitted and no reply.  It
> > could also be that your ntpd is configured to not accept connections
> > from bob.
> 
> This can now be blamed on firewall rules.

Something doesn't look right about this...

  Both ntdq and ntpdate create the same type of UDP based socket,
running from the same machine one of them gets replies the other
does not (the packets are different sizes).  It is true that some 
length based firewall checks could be blocking the replies... but
it's important to figure out what is broken before changing things
and I still don't have enough information.  It could be either ntpd 
or the firewall, since it could as likely be server configuration 
(like only accepting certain client revisions).

  If it still doesn't work after you have fun looking through your
firewall rules install strace on the firewall and run the trace 
requested below.  If you can't use "apt-get install strace" then
remember it is simply one big executable, scp it to the firewall 
from a similar machine and just run the binary from /tmp then
nuke it.

> [root@bob root]# strace -e connect,socket,sendto ntpq -ddn -c peers 
> 192.168.0.1 2>&1 | grep -Ev '(htons\(53\)|AF_UNIX|PF_UNIX)'
> 
> socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
> connect(3, {sin_family=AF_INET, sin_port=htons(123), 
> sin_addr=inet_addr("192.168.0.1")}}, 16) = 0
> Got packet, size = 20
> 
> [root@bob root]# strace -e connect,socket,sendto ntpdate -qd 192.168.0.1 2>&1 
> | grep -Ev '(htons\(53\)|AF_UNIX|PF_UNIX)'
> 
> 24 Apr 22:17:59 ntpdate[7455]: ntpdate [EMAIL PROTECTED] Wed Feb 27 16:42:53 CET 
> 2002 (1)
> socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
> --- SIGALRM (Alarm clock) ---
> transmit(192.168.0.1)
> sendto(3, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 48, 0, 
> {sin_family=AF_INET, sin_port=htons(123), 
> sin_addr=inet_addr("192.168.0.1")}}, 16) = 48
> --- SIGALRM (Alarm clock) ---
> --- SIGALRM (Alarm clock) ---
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread Ryan 

On Wednesday 24 April 2002 10:04 pm, [EMAIL PROTECTED] wrote:
>   Something is preventing port 123 UDP packets from going between
> bob and nat, you can see packets be transmitted and no reply.  It
> could also be that your ntpd is configured to not accept connections
> from bob.

Debugging things with netcat in udp mode reveals that if bob runs
`nc -ulp 123` bob recives packets, but can't get them back to nat.

With nc listening on nat, however, it works both ways.

This can now be blamed on firewall rules.

Ugh.

>   Below are two commands as they show up on my local network,
> if you could verify that the UDP packets are not being dropped,
> then send the output from the following commands it would help.
>
> root@star:/tmp#
>   strace -e connect,socket,sendto ntpq -ddn -c peers 10.1.1.1 2>&1 |
> grep -Ev '(htons\(53\)|AF_UNIX|PF_UNIX)'
>
>
> # socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
> # connect(3, {sin_family=AF_INET, sin_port=htons(123),
> sin_addr=inet_addr("10.1.1.1")}}, 16) = 0 # Got packet, size = 24
> # Packet okay
> #  remote   refid  st t when poll reach   delay   offset 
> jitter #
> ===
>=== # Got packet, size = 428
> # Packet okay
> # Got packet, size = 192
> # Packet okay
> # +169.237.105.80  192.5.41.41  2 u   28  256  377   32.159  -11.673  
> 4.231

[root@bob root]# strace -e connect,socket,sendto ntpq -ddn -c peers 
192.168.0.1 2>&1 | grep -Ev '(htons\(53\)|AF_UNIX|PF_UNIX)'

socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
connect(3, {sin_family=AF_INET, sin_port=htons(123), 
sin_addr=inet_addr("192.168.0.1")}}, 16) = 0
Got packet, size = 20
Packet okay
 remote   refid  st t when poll reach   delay   offset  jitter
==
Got packet, size = 420
Packet okay
Got packet, size = 204
Packet okay
*192.43.244.18   .ACTS.   1 u  135  512  377  133.955   -2.932  12.280
Got packet, size = 428
Packet okay
Got packet, size = 192
Packet okay
+207.215.64.108  192.5.41.41  2 u   98  512  377   25.751   23.138   1.170

> root@star:/tmp#
>   strace -e connect,socket,sendto ntpdate -qd 10.1.1.1 |
> grep -Ev '(htons\(53\)|AF_UNIX|PF_UNIX)'
>
> # socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
> # 24 Apr 21:59:09 ntpdate[12079]: ntpdate 4.1.0 Mon Mar 25 23:39:50 UTC
> 2002 (2) # --- SIGALRM (Alarm clock) ---
> # transmit(10.1.1.1)
> # sendto(3, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 48, 0, {sin_family=AF_INET, sin_port=htons(123),
> sin_addr=inet_addr("10.1.1.1")}}, 16) = # 48
> # receive(10.1.1.1)
> # transmit(10.1.1.1)
> # sendto(3, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 48, 0, {sin_family=AF_INET, sin_port=htons(123),
> sin_addr=inet_addr("10.1.1.1")}}, 16) = # 48
>

[root@bob root]# strace -e connect,socket,sendto ntpdate -qd 192.168.0.1 2>&1 
| grep -Ev '(htons\(53\)|AF_UNIX|PF_UNIX)'

24 Apr 22:17:59 ntpdate[7455]: ntpdate [EMAIL PROTECTED] Wed Feb 27 16:42:53 CET 
2002 (1)
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
--- SIGALRM (Alarm clock) ---
transmit(192.168.0.1)
sendto(3, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 48, 0, 
{sin_family=AF_INET, sin_port=htons(123), 
sin_addr=inet_addr("192.168.0.1")}}, 16) = 48
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
transmit(192.168.0.1)
sendto(3, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 48, 0, 
{sin_family=AF_INET, sin_port=htons(123), 
sin_addr=inet_addr("192.168.0.1")}}, 16) = 48
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
transmit(192.168.0.1)
sendto(3, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 48, 0, 
{sin_family=AF_INET, sin_port=htons(123), 
sin_addr=inet_addr("192.168.0.1")}}, 16) = 48
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
transmit(192.168.0.1)
sendto(3, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 48, 0, 
{sin_family=AF_INET, sin_port=htons(123), 
sin_addr=inet_addr("192.168.0.1")}}, 16) = 48
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
--- SIGALRM (Alarm clock) ---
transmit(192.168.0.1)
192.168.0.1: Server dropped: no data
server 192.168.0.1, port 123
stratum 0, precision 0, leap 00, trust 000
refid [0.0.0.0], delay 0.0, dispersion 64.0
transmitted 4, in filter 4
reference time:.  Wed, Feb  6 2036 22:28:16.000
originate timestamp: .  Wed, Feb  6 2036 22:28:16.000
transmit timestamp:  c072100a.953f39d1  Wed, Apr 24 2002 22:18:02.582
filter delay:  0.0  0.0  0.0  0.0
 0.0

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread msimons 

On Wed, Apr 24, 2002 at 09:37:08PM -0700, Ryan wrote:
> On Wednesday 24 April 2002 08:16 pm, [EMAIL PROTECTED] wrote:
> >   I would recommend you drop localhost from your configuration then pick
> > a series of time servers which are the same stratum.
> 
> Ok, didn't help...
> 
> > > [root@bob root]# ntpdate nat
> > > 24 Apr 18:02:18 ntpdate[3482]: no server suitable for synchronization
> > > found
> >
> >   If you add -q it will show you the results from each machines it tried,
> > and which one it would pick.  A -d to see what it's doing, in the
> > output look for a line like this:
> > # stratum 16, precision -17, leap 11, trust 000
> >   When a machine reports itself at stratum 16, it is basically saying
> > don't trust me, I don't think I'm synchronized against anything.
> 
> [root@bob root]# ntpdate -q nat
> transmit(192.168.0.1)
> transmit(192.168.0.1)
> transmit(192.168.0.1)
> transmit(192.168.0.1)
> transmit(192.168.0.1)
> 192.168.0.1: Server dropped: no data

  Something is preventing port 123 UDP packets from going between 
bob and nat, you can see packets be transmitted and no reply.  It
could also be that your ntpd is configured to not accept connections
from bob.

  Below are two commands as they show up on my local network,
if you could verify that the UDP packets are not being dropped,
then send the output from the following commands it would help.


root@star:/tmp# 
  strace -e connect,socket,sendto ntpq -ddn -c peers 10.1.1.1 2>&1 | 
grep -Ev '(htons\(53\)|AF_UNIX|PF_UNIX)'

# socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
# connect(3, {sin_family=AF_INET, sin_port=htons(123), 
sin_addr=inet_addr("10.1.1.1")}}, 16) = 0
# Got packet, size = 24
# Packet okay
#  remote   refid  st t when poll reach   delay   offset  jitter
# ==
# Got packet, size = 428
# Packet okay
# Got packet, size = 192
# Packet okay
# +169.237.105.80  192.5.41.41  2 u   28  256  377   32.159  -11.673   4.231


root@star:/tmp# 
  strace -e connect,socket,sendto ntpdate -qd 10.1.1.1 | 
grep -Ev '(htons\(53\)|AF_UNIX|PF_UNIX)'

# socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
# 24 Apr 21:59:09 ntpdate[12079]: ntpdate 4.1.0 Mon Mar 25 23:39:50 UTC 2002 (2)
# --- SIGALRM (Alarm clock) ---
# transmit(10.1.1.1)
# sendto(3, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 48, 0, 
{sin_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("10.1.1.1")}}, 16) =
# 48
# receive(10.1.1.1)
# transmit(10.1.1.1)
# sendto(3, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 48, 0, 
{sin_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("10.1.1.1")}}, 16) =
# 48

Now on the firewall...

root@seawolf:~# strace -p `pidof ntpd` -e recvfrom

# --- SIGALRM (Alarm clock) ---
# recvfrom(6, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 500, 0, 
{sin_family=AF_INET, sin_port=htons(1458), sin_addr=inet_addr("10.1.1.27")}}, [16]) = 
48
# recvfrom(6, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 500, 0, 
{sin_family=AF_INET, sin_port=htons(1458), sin_addr=inet_addr("10.1.1.27")}}, [16]) = 
48
# recvfrom(6, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 500, 0, 
{sin_family=AF_INET, sin_port=htons(1458), sin_addr=inet_addr("10.1.1.27")}}, [16]) = 
48
# recvfrom(6, "\343\0\4\372\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 500, 0, 
{sin_family=AF_INET, sin_port=htons(1458), sin_addr=inet_addr("10.1.1.27")}}, [16]) = 
48
# --- SIGALRM (Alarm clock) ---
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread Ryan 

On Wednesday 24 April 2002 08:16 pm, [EMAIL PROTECTED] wrote:
> On Wed, Apr 24, 2002 at 06:03:56PM -0700, Ryan wrote:
> > I just set up ntpd on my firewall, and am trying to use it as a ntp relay
> > to sync my local lan to.
>
> [...]
>
> > The port's open and it will tell me about it's peers when i connect to it
> > with ntpq...
>
>   For a few minutes after restarting the ntpd it will tell clients not
> to synchronize off of itself.  You may have to wait (about 5 mins) for
> the server to get itself happy.

Nope, that's not it :-(

> > [root@bob root]# ntpq -c peers nat
> >  remote   refid  st t when poll reach   delay   offset 
> > jitter
> > =
> >= LOCAL(0)LOCAL(0)10 l-   64  3770.000   
> > 0.000   0.000 *time.nist.gov   .ACTS.   1 u-   64  377  
> > 66.324   11.718   1.090 +step.mother.com ntp1.usno.navy.  2 u   14   64 
> > 377   26.117   -0.109   0.941
>
>^^ stratum column
>
>   From what I understand you have the "nat" machine synchronizing off of
> three sources, itself and two remote time servers, it has picked
> time.nist.gov to use as it's reference (probably because it has a lower
> stratum level). When I last played around with ntp clients I found that
> regardless of how close different sources are from localtime, the clients
> would first sort by stratum, then all the machines with the lowest stratum
> would be selected for "closest to me".
>
>   You don't have a reliable local time source so you shouldn't sync against
> the local machine, I've seen ntp servers that have themselves in their
> peers list rule out the other servers (because of network connections),
> then go around reporting themselves as stratum 0 machines, which can
> totally other clients using that machine's clock (because of the block
> above).
>
>   I would recommend you drop localhost from your configuration then pick
> a series of time servers which are the same stratum.

Ok, didn't help...

> > [root@bob root]# ntpdate nat
> > 24 Apr 18:02:18 ntpdate[3482]: no server suitable for synchronization
> > found
>
>   If you add -q it will show you the results from each machines it tried,
> and which one it would pick.  A -d to see what it's doing, in the
> output look for a line like this:
> # stratum 16, precision -17, leap 11, trust 000
>   When a machine reports itself at stratum 16, it is basically saying
> don't trust me, I don't think I'm synchronized against anything.

[root@bob root]# ntpdate -q nat24 Apr 21:30:47 ntpdate[7067]: ntpdate 
[EMAIL PROTECTED] Wed Feb 27 16:42:53 CET 2002 (1)
transmit(192.168.0.1)
transmit(192.168.0.1)
transmit(192.168.0.1)
transmit(192.168.0.1)
transmit(192.168.0.1)
192.168.0.1: Server dropped: no data
server 192.168.0.1, port 123
stratum 0, precision 0, leap 00, trust 000
refid [0.0.0.0], delay 0.0, dispersion 64.0
transmitted 4, in filter 4
reference time:.  Wed, Feb  6 2036 22:28:16.000
originate timestamp: .  Wed, Feb  6 2036 22:28:16.000
transmit timestamp:  c07204fa.dcaf9229  Wed, Apr 24 2002 21:30:50.862
filter delay:  0.0  0.0  0.0  0.0
 0.0  0.0  0.0  0.0
filter offset: 0.00 0.00 0.00 0.00
 0.00 0.00 0.00 0.00
delay 0.0, dispersion 64.0
offset 0.00

24 Apr 21:30:51 ntpdate[7067]: no server suitable for synchronization found

>   If you try this stuff and are still having problems post some more
> details.
>
> Later,
>   Mike
> ___
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread msimons 

On Wed, Apr 24, 2002 at 06:03:56PM -0700, Ryan wrote:
> I just set up ntpd on my firewall, and am trying to use it as a ntp relay to 
> sync my local lan to.
[...]
> The port's open and it will tell me about it's peers when i connect to it 
> with ntpq...

  For a few minutes after restarting the ntpd it will tell clients not 
to synchronize off of itself.  You may have to wait (about 5 mins) for
the server to get itself happy.

> [root@bob root]# ntpq -c peers nat
>  remote   refid  st t when poll reach   delay   offset  jitter
> ==
>  LOCAL(0)LOCAL(0)10 l-   64  3770.0000.000   0.000
> *time.nist.gov   .ACTS.   1 u-   64  377   66.324   11.718   1.090
> +step.mother.com ntp1.usno.navy.  2 u   14   64  377   26.117   -0.109   0.941
   ^^ stratum column

  From what I understand you have the "nat" machine synchronizing off of three
sources, itself and two remote time servers, it has picked time.nist.gov to
use as it's reference (probably because it has a lower stratum level).
When I last played around with ntp clients I found that regardless of
how close different sources are from localtime, the clients would first
sort by stratum, then all the machines with the lowest stratum would
be selected for "closest to me".

  You don't have a reliable local time source so you shouldn't sync against 
the local machine, I've seen ntp servers that have themselves in their peers
list rule out the other servers (because of network connections), then 
go around reporting themselves as stratum 0 machines, which can totally 
other clients using that machine's clock (because of the block above).

  I would recommend you drop localhost from your configuration then pick 
a series of time servers which are the same stratum.

> [root@bob root]# ntpdate nat
> 24 Apr 18:02:18 ntpdate[3482]: no server suitable for synchronization found

  If you add -q it will show you the results from each machines it tried,
and which one it would pick.  A -d to see what it's doing, in the
output look for a line like this:
# stratum 16, precision -17, leap 11, trust 000
  When a machine reports itself at stratum 16, it is basically saying
don't trust me, I don't think I'm synchronized against anything.

  If you try this stuff and are still having problems post some more 
details.

Later,
  Mike
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

[vox-tech] I'm also having ntp problems :-(

2002-04-24 Thread Ryan 

I just set up ntpd on my firewall, and am trying to use it as a ntp relay to 
sync my local lan to.

It no work.

The port's open and it will tell me about it's peers when i connect to it 
with ntpq...

[root@bob root]# ntpq -c peers nat
 remote   refid  st t when poll reach   delay   offset  jitter
==
 LOCAL(0)LOCAL(0)10 l-   64  3770.0000.000   0.000
*time.nist.gov   .ACTS.   1 u-   64  377   66.324   11.718   1.090
+step.mother.com ntp1.usno.navy.  2 u   14   64  377   26.117   -0.109   0.941

But trying to get the time from it is a problem.

[root@bob root]# ntpdate nat
24 Apr 18:02:18 ntpdate[3482]: no server suitable for synchronization found
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech