000030528 - Unable to check NTP status using ntpq -p command on RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Dec 18, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000030528
Applies ToRSA Product Set: SecurID
RSA Product/ Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueThe following timeout error appears when trying to check NTP peers status from an SSH session or console connection, even though NTP is synchronizing correctly
 

am81p:/home/rsaadmin # ntpq -p
localhost: timed out, nothing received
***Request timed out
CauseThe default NTP configuration on RSA Authentication Manager 8.x ignores any NTP queries from IPv6 addresses. Since Authentication Manager does not come with IPv6 totally disabled, administrative functions coming from the IPv6 localhost are not allowed, unless the ntp.conf file is edited to allow NTP queries from the IPv6 localhost.

The example below is part of the default /etc/ntp.conf file on an Authentication Manager 8.1 server. The lines restrict <IP> control which IPs are allowed to query NTP information. There is a restrict line for the IPv4 localhost address (127.0.0.1), but not for the IPv6 localhost (::1).

am81p:/home/rsaadmin # cat /etc/ntp.conf
################################################################################
## /etc/ntp.conf
##
## Sample NTP configuration file.
## See package 'ntp-doc' for documentation, Mini-HOWTO and FAQ.
## Copyright (c) 1998 S.u.S.E. GmbH Fuerth, Germany.
##
## Author: Michael Andres,  <ma@suse.de>
##         Michael Skibbe,  <mskibbe@suse.de>
##
################################################################################

##
## Radio and modem clocks by convention have addresses in the
## form 127.127.t.u, where t is the clock type and u is a unit
## number in the range 0-3.
##
## Most of these clocks require support in the form of a
## serial port or special bus peripheral. The particular
## device is normally specified by adding a soft link
## /dev/device-u to the particular hardware device involved,
## where u correspond to the unit number above.
##
## Generic DCF77 clock on serial port (Conrad DCF77)
## Address:     127.127.8.u
## Serial Port: /dev/refclock-u
##
## (create soft link /dev/refclock-0 to the particular ttyS?)
##
# server 127.127.8.0 mode 5 prefer
tinker panic 0
restrict default kod nomodify notrap nopeer noquery
restrict -6 default ignore
restrict 127.0.0.1
ResolutionTo resolve this issue, edit the ntp.conf file and add a line to allow NTP queries from the IPv6 localhost.
  1. Follow the instructions in 000038244 - How to SSH to an RSA Authentication Manager server
  2. Launch an SSH client, such as PuTTY.
  3. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.




login as: rsaadmin
Enter password:  <enter operating system password>
Last login: Fri Jun 12 14:54:20 2015 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> sudo su -
rsaadmin's password: <enter operating system password>
am81p:/home/rsaadmin #


  1. Edit /etc/ntp.conf :


am81p:/home/rsaadmin # vi /etc/ntp.conf


  1. Type i to enter Insert mode.
  2. At the bottom of the file, add restrict -6 ::1 to the existing file:


# server 127.127.8.0 mode 5 prefer
tinker panic 0
restrict default kod nomodify notrap nopeer noquery
restrict -6 default ignore
restrict 127.0.0.1
restrict -6 ::1


  1. Type :wq! to save and exit.
  2. Restart the NTP service:


am81p:/home/rsaadmin # service ntp restart
Shutting down network time protocol daemon (NTPD)                        done
Starting network time protocol daemon (NTPD)                             done
am81p:/home/rsaadmin #


  1. Note that RSA Authentication Manager 8.4 requires different command to restart the ntp service, as shown:


rsaadmin@am84p:~> sudo systemctl restart ntpd.service


  1. You may query the ntpd status as shown below:


rsaadmin@am84p:~> systemctl status ntpd.service
● ntpd.service - NTP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
  Drop-In: /run/systemd/generator/ntpd.service.d
           └─50-insserv.conf-$time.conf
   Active: active (running) since Wed 2019-04-17 16:01:57 AEST; 5s ago
     Docs: man:ntpd(1)
  Process: 7765 ExecStart=/usr/sbin/start-ntpd start (code=exited, status=0/SUCCESS)
 Main PID: 7792 (ntpd)
    Tasks: 2 (limit: 16384)
   CGroup: /system.slice/ntpd.service
           ├─7792 /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -c /etc/ntp.conf
           └─7793 ntpd: asynchronous dns resolve
rsaadmin@am84p:~>


  1. Run ntpq -p again:


am81p:/home/rsaadmin # ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
jumphost.vcloud 10.254.140.21    3 u    5   64   77    0.496  1889.43   6.039
Notes
  • This will not affect NTP synchronizing, fix or break any NTP configuration you have.
  • This will only allow using the Linux commands used to check NTP status from the localhost.

Attachments

    Outcomes