On 29.06.2012 21:56, dlaan wrote:
> Hello,
> Our LAG's having a problem to reach the ntp server.
> We noticed that the following line is added to the file /etc/ntp.conf
> "restrict default ignore"
> If we run the command "ntpq -pn" it fails with the following message
> localhost: timed out, nothing received
> ***Request timed out
> If we comment the line "restrict default ignore" and restart ntp it
> looks good:
> bike01:/etc # ntpq -pn
> remote refid st t when poll reach delay offset
> jitter
> ================================================== ============================
> * .GPS. 1 u 25 64 3 0.723 -4.533
> 0.062
> The problem we're facing is that if we make some changes in Access
> Manager via the Admin Console you have to update servers.
> After the update is done the file /etc/ntp.conf is overwritten and the
> line "restrict default ignore" is uncommented again.
> So after a while the LAG's getting out of sync with the ntp server.
> At this point problems will occur
> NAM version running:
> bike01 Gateway Appliance 3.1.4-57-7244B11DE1ED7EED
> OS:
> cat /etc/SuSE-release
> Novell Access Manager - Access Gateway Appliance 3.1.2 (i586)
> VERSION = 3.1

I've seen the exact same problem at a customer running 3.1.2 IR2
It was a while ago, but referring to my notes showed I solved it by
adding the following two lines to /etc/ntp.conf (and leaving the
restrict default ignore line active)

Basically, you can have multiple restrict entries in ntp.conf

The two lines I added were:

restrict mask noserve nomodify notrap
restrict xx.xx.xx.xx mask nomodify notrap

The first line allows local queries of the ntp subsystem (but prevents
ntpd from synchronising against itself/localhost). This line isn’t
strictly required but without this diagnostic commands like “ntpq -p”
don’t work.

The second line grants access to the subnet where the ntp servers
reside. This line overrides the “restrict default ignore” rule (only
for devices in the masked IP range). This makes time sync work.

Make sure to replace xx.xx.xx.xx with the actual subnet hosting your ntp
server(s) (you can fine tune the mask to further limit this if you feel
granting access to the entire subnet is excessive)

In testing this, this configuration was not overridden by changes pushed
out via the admin console (with the possible exception of changing the
list of ntp hosts).

Not really checked to see if this is fixed on newer versions of NAM. I
don't recall seeing any issues with the 3.1.4 LAG