# NTP  Connection refused



## scryptkiddy (Sep 17, 2013)

Hey all, 

Here are the symptoms.

On the CLI when restarting ntpd:

```
# /etc/rc.d/ntpd restart[/CMD]
ntpd not running? (check /var/run/ntpd.pid).
Starting ntpd.
```

/var/log/messages contains:

```
Sep 17 01:28:21 MYSERVER ntpd[48666]: ntpd 4.2.6p5@1.2349-o Thu Feb 21 00:50:01 UTC 2013 (1)
Sep 17 01:28:21 MYSERVER kernel: pid 48667 (ntpd), uid 0: exited on signal 11
```

On the CLI when trying ntpq(1):

```
# ntpq -c as[/CMD]
ntpq: read: Connection refused
```

Here is /etc/rc.conf's ntp section:

```
ntpdate_hosts="127.0.0.1"
ntpdate_enable="YES"
ntpd_enable="YES"
```

I do not know why the previous admin set ntpdate_hosts to local host.

Here is /etc/ntp.conf:

```
server 204.34.198.40 #navy tock
server 204.34.198.41 #navy tick
```

The server is running FBSD FreeBSD 64bit, 8.3-RELEASE. I turned off the firewall, no change in behavior. What else can I look at to determine the issue with ntp?

SK


----------



## SirDice (Sep 17, 2013)

Try those servers with the ntpdate(8) command to see if they actually respond. Make sure the ntpd(8) daemon isn't running and `ntpdate 204.34.198.40`.


----------



## adri (Sep 17, 2013)

scryptkiddy said:
			
		

> /var/log/messages contains:
> 
> ```
> Sep 17 01:28:21 MYSERVER ntpd[48666]: ntpd 4.2.6p5@1.2349-o Thu Feb 21 00:50:01 UTC 2013 (1)
> ...


As you can see from the log, ntpd starts and then terminates with a segmentation fault. Since ntpd isn't running, all connections are refused, because no program is listening on port 123. Try to find out, why ntpd terminates with signal 11.


----------



## scryptkiddy (Sep 17, 2013)

SirDice said:
			
		

> Try those servers with the ntpdate(8) command to see if they actually respond. Make sure the ntpd(8) daemon isn't running and `ntpdate 204.34.198.40`.



Well that part works, I tried the first IP: 


```
[CMD]MYSERVER# ntpdate 192.5.41.42[/CMD]
17 Sep 18:42:23 ntpdate[58060]: adjust time server 192.5.41.42 offset 0.483958 sec
```

So if ntpdate(8) works but ntpd(8) will not start, what should I do? I guess I could put ntpdate(8) on a crontab :\

SK


----------



## wblock@ (Sep 17, 2013)

It's not necessary to run both, and they will conflict.  Use just ntpd(8):

/etc/rc.conf

```
ntpd_enable="YES"
ntpd_sync_on_start="YES"
```


----------



## scryptkiddy (Sep 17, 2013)

Just for clarity then. 

Now I have this for the ntp(8) section of /etc/rc.conf:


```
NTP_SERVER="127.0.0.1"
ntpdate_hosts="${NTP_SERVER}"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
#ntpdate_enable="YES"
```

I cannot get to the ntp(8) servers (getting status rejected for all peers, different issue), but ntp(8) is running now. I had put the ntpdate_enable option in there because I remember reading that it would allow you to syncntp(8) on boot. 

Please help me understand, thanks!


----------



## wblock@ (Sep 17, 2013)

None of that other stuff is needed, just the two lines shown in post #5.

Rejects could be due to firewall issues, or maybe the systems listed in /etc/ntp.conf are not valid or have restrictions.  It also takes a little time after startup (minutes) for ntpd(8) to become happy.


----------



## scryptkiddy (Sep 17, 2013)

I cannot find the previous admins' documentation on the ntp(8) setup, but is there a reason to set the NTP_SERVER to localhost?


----------



## wblock@ (Sep 17, 2013)

No.  Or rather, that's just setting a variable.  Is that variable used anywhere else in the file?


----------



## scryptkiddy (Sep 17, 2013)

Not in /etc/rc.conf. The only line that references the variable is the one below it for the ntpdate_hosts variable.


----------



## scryptkiddy (Sep 17, 2013)

wblock@ said:
			
		

> None of that other stuff is needed, just the two lines shown in post #5.
> 
> Rejects could be due to firewall issues, or maybe the systems listed in /etc/ntp.conf are not valid or have restrictions.  It also takes a little time after startup (minutes) for ntpd(8) to become happy.



Sorry amigo, I think I'm swimming backwards now. I put just the two lines in /etc/rc.conf, but couldn't get ntpd(8) to start. It returned errors listed in OP, signal 11. 

So I went back and edited /etc/rc.conf and put in what I had in post#6 since I did have ntpd(8) working then. Now it still returns signal 11.  

What did I foul up?


----------



## scryptkiddy (Sep 17, 2013)

_I w_as doing some troubleshooting to determine why ntpd(8) will not start and received some interesting results. Here are the /etc/rc.conf entries:

```
ntpd_enable="YES"
ntpd_sync_on_start="YES"
```
When I edit the /etc/rc.d/ntpd shell script and add the debugging flag "-d" to the rc_flags variable and start it I get:

```
[CMD]MYSERVER# /etc/rc.d/ntpd start[/CMD]
Starting ntpd.
ntpd 4.2.6p5@1.2349-o Thu Feb 21 00:50:01 UTC 2013 (1)
17 Sep 20:53:39 ntpd[58377]: logging to file /var/log/ntpd.log
17 Sep 20:53:39 ntpd[58377]: proto: precision = 1.118 usec
event at 0 0.0.0.0 c01d 0d kern kernel time sync enabled
Finished Parsing!!
17 Sep 20:53:39 ntpd[58377]: ntp_io: estimated max descriptors: 11095, initial socket boundary: 20
17 Sep 20:53:39 ntpd[58377]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
17 Sep 20:53:39 ntpd[58377]: Listen and drop on 1 v6wildcard :: UDP 123
17 Sep 20:53:39 ntpd[58377]: Listen normally on 2 bce0 150.137.11.160 UDP 123
restrict: op 1 addr <my.servers.ip.here> mask 255.255.255.255 mflags 00003000 flags 00000001
17 Sep 20:53:39 ntpd[58377]: Listen normally on 3 lo0 fe80::1 UDP 123
restrict: op 1 addr fe80::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags 00003000 flags 00000001
17 Sep 20:53:39 ntpd[58377]: Listen normally on 4 lo0 ::1 UDP 123
restrict: op 1 addr ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags 00003000 flags 00000001
17 Sep 20:53:39 ntpd[58377]: Listen normally on 5 lo0 127.0.0.1 UDP 123
restrict: op 1 addr 127.0.0.1 mask 255.255.255.255 mflags 00003000 flags 00000001
17 Sep 20:53:39 ntpd[58377]: peers refreshed
17 Sep 20:53:39 ntpd[58377]: Listening on routing socket on fd #26 for interface updates
key_expire: at 0 associd 19712
peer_clear: at 0 next 1 associd 19712 refid INIT
event at 0 192.5.41.42 8011 81 mobilize assoc 19712
newpeer: <my.servers.ip.here>->192.5.41.42 mode 3 vers 4 poll 6 10 flags 0x1 0x1 ttl 0 key 00000000
key_expire: at 0 associd 19713
peer_clear: at 0 next 2 associd 19713 refid INIT
event at 0 204.34.198.40 8011 81 mobilize assoc 19713
...
```

Checking the process table:

```
[CMD]MYSERVER# ps -auxwww | grep -i ntpd[/CMD]
root            80931  0.0  0.0  8344  2200   0  S+    7:51PM   0:00.00 /bin/sh /etc/rc.d/ntpd start
root            80936  0.0  0.0 15308  7208   0  S+    7:51PM   0:00.01 /usr/sbin/ntpd -g -c /etc/ntp.conf -d -p /var/run/ntpd.pid -f /var/db/ntpd.drift -l /var/log/ntpd.log
```

But when I remove the debugging flag and start ntpd(8) without the debug flag, back to signal 11.

Thoughts?


----------



## wblock@ (Sep 17, 2013)

That's the port version, net/ntp, rather than the one in base.  What version of FreeBSD is running?


----------



## junovitch@ (Sep 17, 2013)

There is absolutely no reason for ntpdate() to use 127.0.0.1.  If you look at /etc/rc.d/ntpd you'll find this:

```
# REQUIRE: DAEMON ntpdate cleanvar devfs
```

This tells you that ntpdate() will always run before the ntpd() daemon is started.  The idea being that time is already set close enough when ntpd() gets started to maintain it.  On boot ntpdate() will never be able to find anything listening on the loopback.

Anyways, back to the regular scheduled programming, how about giving net/openntpd a try?  Add your servers in /usr/local/etc/ntpd.conf, enable in /etc/rc.conf with this:

```
openntpd_enable="YES"
```

Then start with `# service openntpd start`


----------



## junovitch@ (Sep 17, 2013)

wblock@ said:
			
		

> That's the port version, net/ntp, rather than the one in base.  What version of FreeBSD is running?



Good eye.  He mentioned 8.3-RELEASE in his first post.  4.2.4p8  is the default in 9.1-RELEASE and I would guess it's the same.  Perhaps removing the add on port and using the base system ntpd() would be a solution.


----------



## scryptkiddy (Sep 18, 2013)

Correct, I'm using the port. 


```
MYSERVER# pkg_info | grep ntp
ntp-4.2.6p5_2       The Network Time Protocol Distribution

MYSERVER# ntpd --version
ntpd 4.2.6p5
ntpd 4.2.6p5@1.2349-o Thu Feb 21 00:50:01 UTC 2013 (1)

MYSERVER# which ntpd
/usr/sbin/ntpd
```

I'd rather not install another port when the ntpd(8) port works for other servers (for uniformity). 

Any other ideas?


----------



## wblock@ (Sep 18, 2013)

Install sysutils/bsdadminscripts and run `pkg_libchk`.


----------



## scryptkiddy (Sep 18, 2013)

Will do, I have to go to lunch, then a few meetings. I'll come back and do that and update you when done.


----------



## kpa (Sep 18, 2013)

Post your list of network interfaces, output of `ifconfig` is enough. The ntpd(8) daemon has an unfortunate feature that causes it to bind on every single available network interface and there's no way to control which interfaces it should attach to.


----------



## scryptkiddy (Sep 18, 2013)

wblock@ said:
			
		

> Install sysutils/bsdadminscripts and run `pkg_libchk`.



Okay, completed. Is there something in here that will help me troubleshoot the problem?


----------



## wblock@ (Sep 18, 2013)

Did it complain about any missing libraries?


----------



## scryptkiddy (Sep 18, 2013)

It did not. 

Here is the last of the output:


```
...
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rcstatus
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rcstop
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rcrestart
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rconestart
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rconestatus
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rconestop
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rconerestart
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portbuild
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portclean
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portfetch
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portpackage
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portconfig-recursive
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portfetch-recursive
===>   Registering installation for bsdadminscripts-6.1.1_4

===>>> Installation of sysutils/bsdadminscripts (bsdadminscripts-6.1.1_4) complete

===>>> Exiting
MYSERVER# rehash
```


----------



## wblock@ (Sep 18, 2013)

After installing it, you have to run `pkg_libchk`.


----------



## scryptkiddy (Sep 18, 2013)

Wow... I need caffeine. I missed that in your post, my apologies. 

It has completed, there is a list, nothing in there about ntp(8) however:


```
cclient-2007f,1: /usr/local/lib/libc-client4.so.9 misses libssl.so.7
cclient-2007f,1: /usr/local/lib/libc-client4.so.9 misses libcrypto.so.7
flow-tools-0.68_7: /usr/local/bin/flow-capture misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-cat misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-dscan misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-expire misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-export misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-fanout misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-filter misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-gen misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-header misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-import misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-mask misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-merge misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-nfilter misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-print misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-receive misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/w3c misses libssl.so.7
flow-tools-0.68_7: /usr/local/bin/flow-report misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/w3c misses libcrypto.so.7
flow-tools-0.68_7: /usr/local/bin/flow-send misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/webbot misses libssl.so.7
libwww-5.4.0_4: /usr/local/bin/webbot misses libcrypto.so.7
flow-tools-0.68_7: /usr/local/bin/flow-split misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/www misses libssl.so.7
flow-tools-0.68_7: /usr/local/bin/flow-stat misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/www misses libcrypto.so.7
flow-tools-0.68_7: /usr/local/bin/flow-tag misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-xlate misses libwrap.so.5
libwww-5.4.0_4: /usr/local/lib/libmd5.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libmd5.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libpics.so.0 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libpics.so.0 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwapp.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwapp.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwcache.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwcache.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwcore.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwcore.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwdir.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwdir.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwfile.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwfile.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwftp.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwftp.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwgopher.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwgopher.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwhtml.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwhtml.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwhttp.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwhttp.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwinit.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwinit.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwmime.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwmime.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwmux.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwmux.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwnews.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwnews.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwssl.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwssl.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwstream.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwstream.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwtelnet.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwtelnet.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwtrans.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwtrans.so.1 misses libcrypto.so.7
tripwire-2.4.2.2_2: /usr/local/sbin/tripwire misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwutils.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwutils.so.1 misses libcrypto.so.7
tripwire-2.4.2.2_2: /usr/local/sbin/twadmin misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwxml.so.1 misses libssl.so.7
tripwire-2.4.2.2_2: /usr/local/sbin/twprint misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwxml.so.1 misses libcrypto.so.7
tripwire-2.4.2.2_2: /usr/local/sbin/siggen misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwzip.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwzip.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libxmlparse.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libxmlparse.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libxmltok.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libxmltok.so.1 misses libcrypto.so.7
```


----------



## SirDice (Sep 18, 2013)

I'm wondering why it's looking for a few libraries. Did you build from ports or did you use packages? Both libcrypto and libssl are from OpenSSL. But I'm not sure where those versions come from. FreeBSD 9.x has version .6 for both. So it's either looking for the security/openssl port libraries or the packages where intended for 10-CURRENT. The libwrap version might be ok for 8.3, 9-STABLE has it as version 6.


----------



## wblock@ (Sep 18, 2013)

If it were me, I'd determine a few things which would determine how to proceed.  If using net/ntp is necessary, rebuild and reinstall it.  If it does not have to be the port, deinstall it and use the base version.

The missing libraries problems shown above can be caused by several things.  Using binary packages could do it, or not following /usr/ports/UPDATING.


----------



## scryptkiddy (Sep 18, 2013)

We used precompiled packages from another box, which is probably the cause. I'll rebuild it from ports and update this thread on the results.


----------



## scryptkiddy (Sep 18, 2013)

I'm back to Post #12 again, odd. I thought reinstalling the port would have fixed whatever the issue was as well. 

For the port install, I did the following:

```
# portsnap fetch extract
# portinstall ntp
```

Only answered yes to net/ntp. 

Did I miss something?


----------



## scryptkiddy (Sep 18, 2013)

I found an interesting thread on the FreeBSD pipemail listings here.

He has the exact same issue, where ntpd(8) exits on signal 11, and only works if the -d option is specified. He indicated that he recompiled Perl to fix the problem. 

Should I attempt that, or is this different?


----------



## junovitch@ (Sep 19, 2013)

It looks like Perl is a build requirement for net/ntp rather than a run dependency.  Did those commands you ran actually reinstall NTP? How about `portupgrade -f net/ntp`? Maybe you have an issue with corrupt files.


----------



## kpa (Sep 19, 2013)

Consider using net/openntpd instead if you're going to install a port anyway. It has much better configuration possibilities than ntpd(8).


----------

