Closed tdittr closed 3 months ago
I also ran into this exact same error message under a very different configuration. In my configuration I have both a client and a server (ntp_client:10.0.0.1
, I have ntp_server:10.0.0.2,10.0.0.12
-- the ntp_server
has two assigned IP addresses). When I set my server up so that it's listening on 0.0.0.0:123
then clients will return the error:
ntp_proto::peer: Peer rejected due to invalid stratum. The stratum of a peer must be lower than the own stratum peer_stratum=16 own_stratum=16
The stratum of the server shows as 3 in the output of ntp-ctl
and the client shows 4. Finding this issue I became suspect that this behavior has nothing to do with the stratum and a tcpdump confirmed it. It basically does this:
10.0.0.1 -> 10.0.0.2 # ntp request to server
10.0.0.1 <- 10.0.0.12 # ntp response from server from wrong IP
10.0.0.1 -> 10.0.0.12 # the ntp client sends an ICMP packet to the other IP which gets no response
# this causes the error above to be written to logs
Binding the service to 10.0.0.2:123
prevented this behavior and solved the issue. I'm just posting this information here because I think there must be a few weird things in the code path that ultimately leads to this log line being written.
@ZedCode Interesting how the return message is going through the other IP address, I don't think we've really tested ntpd-rs with such a network topology. I take it your server is also an ntpd-rs instance in this example? I could try and replicate such a setup on my own device. I have one question: on the server, was there any specific routing set up for the two different IPs?
Hi @rnijveld , I took another look through the configuration this morning when I was trying to come up with an easy set of steps to reproduce. When doing that I found that I had mixed up the primary IP address and the secondary IP address. To be clear, I don't think there's an issue here except a logging bug, but if you want to see the incorrect logging message you should be able to do the following:
ntpd-rs
to listen on 0.0.0.0:123
.ntpd-rs
as a client on another host, ensure it connects to the secondary IP addressThe client should do what I observed above, including writing the log line I saw.
With the added caveat that that this was done by using the secondary, aliased IP address, it seems incredibly unlikely someone would accidentally find themself in this same situation. Thank you for taking a look at the issue, let me know if you try to replicate and aren't able to and I'll try to come up with a test case using something a bit more portable like vagrant
if you think it's worth tracking down!
What happened here was that time.windows.com responds with v3 messages (in response to our v4 messages), which we ignored, without showing any message in the log. I've updated our behavior in #1507: we now should accept v3 responses to our v4 messages (by hoping that the server did the right thing and did not misinterpret our v4 messages). Additionally we should now also add a warning to the log whenever an invalid packet version was returned to us.
The stratum messages are only because every source gets some default information as long as no measurements took place. Maybe we should try and reduce our spam here: as long as a source doesn't have any measurement, it maybe should have a special status that allows the algorithm to ignore it.
When a server responds with a NTPv3 response ntpd-rs logs the following:
Which is not helpful in detecting the problem. It is not mentioning that the server is misbehaving, nor which server it is about.
To reproduce this issue use
time.windows.com
as a source and you can observe the following in wireshark:Request:
Response:
Log:
Config: