Introduction

When ntpd cannot communicate with its configured NTP servers, the system clock begins to drift. The daemon reports stratum 16 (unsynchronized) and ntpq -p shows all peers as unreachable. This causes cascading failures: TLS certificate validation errors, log timestamp inconsistencies, Kerberos authentication failures, and distributed system coordination problems.

Symptoms

  • ntpq -p shows reach column as 0 for all peers
  • ntpd reports stratum 16 in ntpstat output
  • chronyc tracking shows Leap status: Not synchronised
  • System clock drifts from actual time by seconds or minutes
  • Applications report certificate validation errors due to time mismatch

Common Causes

  • Firewall blocking UDP port 123 outbound
  • NTP servers configured are unreachable or decommissioned
  • DNS resolution failing for NTP server hostnames
  • ntpd process stuck or not running
  • Network routing issue preventing access to external NTP servers
  • SELinux blocking ntpd network access

Step-by-Step Fix

  1. 1.Check current NTP status:
  2. 2.```bash
  3. 3.ntpq -p
  4. 4.ntpstat
  5. 5.timedatectl status
  6. 6.`
  7. 7.Verify ntpd is running:
  8. 8.```bash
  9. 9.systemctl status ntpd
  10. 10.# Or for systemd-timesyncd:
  11. 11.systemctl status systemd-timesyncd
  12. 12.`
  13. 13.Test network connectivity to NTP servers:
  14. 14.```bash
  15. 15.# Test UDP 123 reachability
  16. 16.nc -zuv pool.ntp.org 123
  17. 17.# Manual NTP query
  18. 18.ntpdate -q pool.ntp.org
  19. 19.`
  20. 20.Check firewall rules:
  21. 21.```bash
  22. 22.sudo iptables -L OUTPUT -n | grep 123
  23. 23.sudo firewall-cmd --list-all
  24. 24.# Allow NTP outbound
  25. 25.sudo firewall-cmd --add-service=ntp --permanent
  26. 26.sudo firewall-cmd --reload
  27. 27.`
  28. 28.Update NTP server configuration:
  29. 29.```bash
  30. 30.sudo nano /etc/ntp.conf
  31. 31.# Replace with reliable servers
  32. 32.server 0.pool.ntp.org iburst
  33. 33.server 1.pool.ntp.org iburst
  34. 34.server 2.pool.ntp.org iburst
  35. 35.server 3.pool.ntp.org iburst
  36. 36.sudo systemctl restart ntpd
  37. 37.`
  38. 38.Force immediate synchronization:
  39. 39.```bash
  40. 40.sudo systemctl stop ntpd
  41. 41.sudo ntpdate -b pool.ntp.org
  42. 42.sudo systemctl start ntpd
  43. 43.# Or with chrony:
  44. 44.sudo chronyc makestep
  45. 45.`

Prevention

  • Switch to chrony which handles network interruptions better than ntpd: sudo apt install chrony
  • Configure at least 3-4 NTP sources from different pools
  • Use local NTP relay servers in corporate environments to reduce external dependencies
  • Monitor clock offset with chronyc tracking and alert when offset exceeds 100ms
  • Enable iburst option for faster initial synchronization