000030528 - Unable to check NTP status using ntpq -p command on Authentication Manager 8

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030528
Applies ToRSA Product Set: SecurID
RSA Product/ Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
Getting the below timeout error when trying to check NTP peers status from SSH session or console connection, even though NTP is synchronizing correctly
am81p:/home/rsaadmin # ntpq -p
localhost: timed out, nothing received
***Request timed out
Cause
The default NTP configuration on Authentication Manager 8 ignores any NTP queries from IPv6 addresses. Since Authentication Manager does not come with IPv6 totally disabled, so administrative functions coming from the IPv6 localhost are not allowed, unless the ntp.conf file is edited to allow NTP queries from the IPv6 localhost.
Below is part of the default /etc/ntp.conf file on an AM8.1 server. The lines restrict <IP> control which IPs are allowed to query NTP information. There is a restrict line for the IPv4 localhost address (127.0.0.1), but not for the IPv6 localhost (::1).

 
am81p:/home/rsaadmin # cat /etc/ntp.conf
################################################################################
## /etc/ntp.conf
##
## Sample NTP configuration file.
## See package 'ntp-doc' for documentation, Mini-HOWTO and FAQ.
## Copyright (c) 1998 S.u.S.E. GmbH Fuerth, Germany.
##
## Author: Michael Andres,  <ma@suse.de>
##         Michael Skibbe,  <mskibbe@suse.de>
##
################################################################################
##
## Radio and modem clocks by convention have addresses in the
## form 127.127.t.u, where t is the clock type and u is a unit
## number in the range 0-3.
##
## Most of these clocks require support in the form of a
## serial port or special bus peripheral. The particular
## device is normally specified by adding a soft link
## /dev/device-u to the particular hardware device involved,
## where u correspond to the unit number above.
##
## Generic DCF77 clock on serial port (Conrad DCF77)
## Address:     127.127.8.u
## Serial Port: /dev/refclock-u
##
## (create soft link /dev/refclock-0 to the particular ttyS?)
##
# server 127.127.8.0 mode 5 prefer
tinker panic 0
restrict default kod nomodify notrap nopeer noquery
restrict -6 default ignore
restrict 127.0.0.1
ResolutionEdit the ntp.conf file and add a line to allow NTP queries from the IPv6 localhost.
 
1. Login as rsaadmin, switch to root
  
Using username "rsaadmin".
Last login: Fri Jun 12 14:54:20 2015 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> sudo su -
rsaadmin's password:
am81p:/home/rsaadmin #

  
2. Edit the /etc/ntp.conf file
  
am81p:/home/rsaadmin # vi /etc/ntp.conf

  
3. Add a line restrict -6 ::1 to the existing fileType 'i' to enter INSERT mode
  
###########################################################################
## /etc/ntp.conf
##
## Sample NTP configuration file.
## See package 'ntp-doc' for documentation, Mini-HOWTO and FAQ.
## Copyright (c) 1998 S.u.S.E. GmbH Fuerth, Germany.
##
## Author: Michael Andres,  <ma@suse.de>
##         Michael Skibbe,  <mskibbe@suse.de>
##
###########################################################################
##
## Radio and modem clocks by convention have addresses in the
## form 127.127.t.u, where t is the clock type and u is a unit
## number in the range 0-3.
##
## Most of these clocks require support in the form of a
## serial port or special bus peripheral. The particular
## device is normally specified by adding a soft link
## /dev/device-u to the particular hardware device involved,
## where u correspond to the unit number above.
##
## Generic DCF77 clock on serial port (Conrad DCF77)
## Address:     127.127.8.u
## Serial Port: /dev/refclock-u
##
## (create soft link /dev/refclock-0 to the particular ttyS?)
##
# server 127.127.8.0 mode 5 prefer
tinker panic 0
restrict default kod nomodify notrap nopeer noquery
restrict -6 default ignore
restrict 127.0.0.1
restrict -6 ::1

  
4. Save and ExitType 'q' to exit INSERT mode
   Type ':wq' then hit ENTER to save and exit the file. Should look like the bellow screenshot:

   User-added image
5. Restart the ntp service
  
am81p:/home/rsaadmin # service ntp restart
Shutting down network time protocol daemon (NTPD)                        done
Starting network time protocol daemon (NTPD)                             done
am81p:/home/rsaadmin #

  
6. Try using ntpq -p again
  
am81p:/home/rsaadmin # ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
jumphost.vcloud 10.254.140.21    3 u    5   64   77    0.496  1889.43   6.039

  
Notes
  • This will not affect NTP synchronizing, fix or break any NTP configuration you have.
  • This will only allow using the Linux commands used to check NTP status from the localhost.

Attachments

    Outcomes