This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG blocks its own NTP queries

ASG has begun blocking its own queries to external NTP servers. ASG "System Settings", "Time and Date" settings are configured to use "pool.ntp.org" time servers. When I click "Test Configured Servers", 3 out of 4 return "failed" result and the one return indicates minutes of offset.
Have also tried configuring for "north-america.pool.ntp.org".

LOG EXTRACT (entries are contiguous):
20:21:14 Default DROP UDP :123    173.201.38.85:123  len=76 ttl=64 tos=0x00 srcmac=

20:23:29 Default DROP UDP :123    173.201.38.85:123  len=76 ttl=64 tos=0x00 srcmac=

20:23:45 Default DROP UDP   :123    173.201.38.85:123  len=76 ttl=64 tos=0x00 srcmac=

20:24:01 Default DROP UDP   :123    173.201.38.85:123  len=76 ttl=64 tos=0x00 srcmac=

20:26:10 Default DROP UDP   :123    173.201.38.85:123  len=76 ttl=64 tos=0x00 srcmac=

20:26:26 Default DROP UDP   :123    173.201.38.85:123  len=76 ttl=64 tos=0x00 srcmac=

20:26:42 Default DROP UDP   :123    173.201.38.85:123  len=76 ttl=64 tos=0x00 srcmac=

20:28:52 Default DROP UDP   :123    173.201.38.85:123  len=76 ttl=64 tos=0x00 srcmac=

20:29:08 Default DROP UDP   :123    173.201.38.85:123  len=76 ttl=64 tos=0x00 srcmac=

NTP function previously worked well (ie,

This thread was automatically locked due to age.

Parents

0 BAlfson over 14 years ago

Rob, take a look at the Intrusion Prevention log; when things suddenly stop working, it's usually a new Snort rule.

If that doesn't give you the info you need, please show the same lines above from the full log; the live log is pretty worthless for analytical work.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 14 years ago

Rob, take a look at the Intrusion Prevention log; when things suddenly stop working, it's usually a new Snort rule.

If that doesn't give you the info you need, please show the same lines above from the full log; the live log is pretty worthless for analytical work.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 RobLP over 14 years ago in reply to BAlfson

BTW: Don't know if you've seen my post re my ACC false-blocking problem, which also may be related to a faulty-pattern:
https://community.sophos.com/products/unified-threat-management/astaroorg/f/61/t/56858
Rob
Cancel
Vote Up 0 Vote Down

Cancel
0 RobLP over 14 years ago in reply to RobLP

BTW: Don't know if you've seen my post re my ACC false-blocking problem, which also may be related to a faulty-pattern:
http://www.astaro.org/other-astaro-products/astaro-command-center-acc/33918-acc-drops-port-4433-traffic-our-asgs.html.
Rob

From the noted ACC thread:
The dropped packages are due to a bug in setting up the packet filter rules for the devices.

The problem:
If there is a DNS host definition which is bound to the Uplink Interface no packet filter rule is generated.
Workaround:
Set the interface for the DNS hosts you use to Any.

Thorsten

The same workaround fixes the ASG (and ACC) time-server access problem, which started this thread.

Thanks again, Thorsten!
Rob
Cancel
Vote Up 0 Vote Down

Cancel