Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 6647 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NTP is sometimes blocked

solae
I have an UTM Hot-Standby Cluster on a performant ESXi Server.

I'm getting about 2-5 NTP requests per second because I'm part of the ntp.org community.
There's a NAT roule From Any -> NTP -> External Address --> Internal Address -> NTP so the NTP Packets are being logged in the Firewall log.
The NTP Services is allowed from any(IPv4/IPv6), I also added a Rule for Any -> NTP -> Any, but i think this should not be necessary for external requests.

But sometimes (1-5 times a minutes) i see blocked NTP packages to my Internal address?! Why? Is the NTP Services of the UTM not fast enough?

btw: 10.19.1.1 is my Internal Address

Michael


This thread was automatically locked due to age.
Parents
  • 0
    Hi Barry

    Here some RAW Loglines from the Errors:

    2013:11:14-00:00:11 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.xx.246.153" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="3" dstport="123" 
    2013:11:14-00:00:11 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.xx.246.153" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="3" dstport="123" 

    2013:11:14-00:02:49 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.yy.147.74" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="1" dstport="123" 
    2013:11:14-00:02:49 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.yy.147.74" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="1" dstport="123" 

    2013:11:14-06:59:19 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="109.zz.213.234" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="115" srcport="103" dstport="123" 
    2013:11:14-06:59:19 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="109.zz.213.234" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="115" srcport="103" dstport="123" 

    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="212.vv.14.7" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="65" dstport="123"
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="212.vv.14.7" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="65" dstport="123" 


    And the lines that are ok:

    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.168.149" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="43690" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.136.28" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="55297" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.167.17" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="43469" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="84.yy.151.171" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="123" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.140.159" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="59173" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.160.132" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="53" srcport="53387" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="124.zz.36.158" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="123" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="212.vv.28.38" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="20929" dstport="123



    EDIT: I noticed that all dropped Packets were sent from a Source Port lower than 123. There are no blocked Packets when Port 123 or higher is used.

    Also there are no "accept" logline for good packets, i think this is because the NTP Service of the UTM is used. Could it be, that the NTP Service itself does not accept NTP Packages with a sourceport lower than 123?

    Michael
Reply
  • 0
    Hi Barry

    Here some RAW Loglines from the Errors:

    2013:11:14-00:00:11 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.xx.246.153" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="3" dstport="123" 
    2013:11:14-00:00:11 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.xx.246.153" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="3" dstport="123" 

    2013:11:14-00:02:49 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.yy.147.74" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="1" dstport="123" 
    2013:11:14-00:02:49 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.yy.147.74" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="1" dstport="123" 

    2013:11:14-06:59:19 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="109.zz.213.234" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="115" srcport="103" dstport="123" 
    2013:11:14-06:59:19 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="109.zz.213.234" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="115" srcport="103" dstport="123" 

    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="212.vv.14.7" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="65" dstport="123"
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="212.vv.14.7" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="65" dstport="123" 


    And the lines that are ok:

    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.168.149" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="43690" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.136.28" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="55297" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.167.17" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="43469" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="84.yy.151.171" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="123" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.140.159" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="59173" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.160.132" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="53" srcport="53387" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="124.zz.36.158" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="123" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="212.vv.28.38" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="20929" dstport="123



    EDIT: I noticed that all dropped Packets were sent from a Source Port lower than 123. There are no blocked Packets when Port 123 or higher is used.

    Also there are no "accept" logline for good packets, i think this is because the NTP Service of the UTM is used. Could it be, that the NTP Service itself does not accept NTP Packages with a sourceport lower than 123?

    Michael
Children
No Data