|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
|Issue||RSA Authentication Manager 8.1 Patch 2 included a fix to prevent startup problems when there was an issue with NTP. As part of this patch, additional alerts were added to the system to alert when a NTP error occurs:|
Attention! The following critical system event occurred: Not able to sync time. Either the NTP service is not running or unable to sync time from the NTP server.
System Time Synchronization Configuration Check,"Checking configuration for System Time Synchronization
Warning,All NTP Servers are unavailble - potential for significant system time drift,SYSTEM,,,,,ALL_NTP_SERVERS_UNVAILABLE
Not able to sync time. Either the NTP service is not running or unable to sync time from the NTP server.,,,,,,,,
Both the Authentication Manager 8.1 application and the SuSE Linux Operating System will attempt to do an NTP Synchronization several times an hour. The SecurID Appliance sends both NTP Version 3 and NTP Version 4 requests.
|Tasks||If this is not sufficient to indicate the issue, there are various files that can be used to check for NTP events and these include:|
The things to check:
The SecurID Appliance 8.x includes the tcpdump utility in the /usr/sbin directory, and you need to be root to use it. Typically it will be used by SSH, but you can also use the local console.
If SSH is not enabled, log onto the Operations Console, go to Administration > Operating System Access, put a check in Enable SSH, Save.
Login with rsaadmin and the Operating System password.
sudo su (it will ask for a password again, supply the operating system password again)
When you are ready to run the Packet capture, some examples of running tcpdump are below (note the -Z is capitalized)
To capture all traffic to a NTP server at 192.168.1.10, and save it to a file in /tmp named cap1.cap:
./tcpdump -i eth0 -s 1514 -Z root host 192.168.1.10 -w /tmp/cap1.cap
To capture all traffic on the NTP port 123 and save it to a file:
./tcpdump -i eth0 -s 1514 -Z root port 123 -w /tmp/cap1.cap
Once the error happens, stop the capture using control-C . Copy other related files to assist troubleshoot NTP
cp /var/log/messages /tmp
cp /var/log/ntp /tmp
Open the files' permissions to allow access with the command chmod 777 /tmp/* and get the capture and logs using any convenient method, such as WinSCP .
|Notes||Examples of NTP-related events|
System Log Report
2014-08-26 20:36:43,WARN,16350,Critical System Event Notification,System encountered a critical event.,Warning,Unknown Warning,SYSTEM,,,,,ATTEMPT_WARN,hostname.company.com,,10.20.30.40,cation.impl.CriticalNotificationAdministrationImpl,Not able to sync time. Either the NTP service is not running or unable to sync time from the NTP server.,,,,,,,,
Also, look for other issues around the time frame of the NTP failure.
Aug 26 20:36:28 rsa2 sudo: rsaadmin : TTY=unknown ; PWD=/opt/rsa/am/server ; USER=root ; COMMAND=/opt/rsa/am/utils/bin/appliance/queryTimeSettings.sh
/var/log/ntp (timestamps are in UTC)
27 Aug 06:37:14 ntpd: no servers reachable
27 Aug 07:45:28 ntpd: synchronized to 192.168.1.10, stratum 3