Airgapped Network - source discarded high stratum, failed sanity

Hello there!

NTP Newbie here, and hoping someone might be able to provide some guidance please. I’ve lost hours and hours trying to get an NTP configuration working.

I have a network which needs to be completely isolated from the outside world, it’s running some very old kit and consists of; Windows 2003 Server, Windows XP, Windows 10, RedHat 5 and Debian 8 workstations (no current options for upgrades).

I have (at least attempted) to configure the PDC (2003) as the NTP Time Source for the network, and point each client to sync time from this. This seems to be working well for the more modern PC’s (Windows 10 & Debian 8)… It’s also working well for the Windows XP machines (although this is using the Meinberg NTP client as this is a higher priority daemon than the Windows Time Service). I’m having slightly more problems with the RedHat machines.
When I run ntpq -p, the time server is listed although it has no prefix. Reading online it appears “blank” would equate to “source discarded high stratum, failed sanity”.

I should also point out that this isolated network, is powered off (and hard drives removed) for extended periods between use.

Two points to raise here;

1 - The PDC has nothing to sync upstream to, so points at itself (I’m guessing this makes it a less reliable time source). So I guess i may be able to do something server side, such that it’s unicasting with more confidence.

2 - Ideally, as the rest of the boxes are working, it would be good to find a force / override function to force the server to be considered trustworthy.

Final though is, should I just give up with the ntp deamon and add something to the crontab to sync time every 5/10mins?

Any advice is greatly appreciated.

Many Thanks

Ainsley

If the PDC has nothing upstream to sync to, then all clocks in the network could technically be equally correct…

I believe (though I could be wrong), either the PDC is like you said running at a stratum 16 being unsynced… Or it’s running a SNTP service (not true NTP)…

Have you tried running ‘ntpdate’ or ‘sntp’ on the linux machine to sync the time against the PDC and see if it updates?

Syncing every 5 or 10 minutes would be excessive (though on a local network I guess the traffic wouldn’t matter)… Once an hour or even once every 4 hours would be more than sufficient.

If you ever want ‘better’ time, you could always setup NTP on all the machines, fudge the stratum number for the local clock, then have them peer with each other…

Alternatively, if one of the machines could ever access the outside network, you could install Chrony on the linux box. It is able to calculate drift and account for / correct when the computer is turned off and does more than ntpd for ‘unreliable connections’…

Have you considered getting a GPS unit to hook up to one of these machines to give you better time, while still keeping it airgapped?

1 Like

Thanks Little Jason,

I’m also airgapped from the network (by 100 miles), I’ll be revisiting the network next week, so hope to resolve the matter then. I have managed to run an ntpdate and force an update which worked fine.

The network load is very minimal so frequency of synching via Crontab shouldn’t be an issue. It just seems a bit of a fudge to use that rather than configuring the ntpdeamon to synch properly itself.

I’m actually looking at removing a GPS Antenna which is currently synching time. The unit uses IRIG rather than NTP, it’s all over-complicated, and failing. There’s also an issue where the antenna has no view of the sky so needs a manual procedure to walk the antenna out for signal. In all honesty i feel setting the time on the PDC and distributing this throughout the network should suffice.

Interested in the comment; “If you ever want ‘better’ time, you could always setup NTP on all the machines, fudge the stratum number for the local clock, then have them peer with each other…”. How do you fudge the stratum number?

You set your local clock to a lower stratum, but still high enough that regular time sources would be preferred. Example:

ntp.conf

server 127.127.1.0
fudge 127.127.1.0 stratum 10

Some more reading:
http://doc.ntp.org/current-stable/drivers/driver1.html
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
http://support.ntp.org/bin/view/Support/OrphanMode