Citrix Hypervisor unable to sync to NTP/Chrony server

Make sure that your host is having similar/correct DNS servers throughout the pool

1 Add all xenserver Public NTP servers to the host . Refer below link for the same.

https://support.citrix.com/article/CTX121278

Note: Make sure that you have identical and equal number of NTP source servers on all xenserver host in pool

2. It will automatically restart the ntpd/chronyd service but sometimes that does not sync the time to NTP and we have to manually restart the ntpd/chronyd service using below command.

# service ntpd restart

Run below command to restart chronyd service

# systemctl restart chronyd.service

If even after manually restarting the service it does not work then follow below steps

3. Stop ntpd service using below command

# Service ntpd stop

Run below command for chronyd service

# Systemctl stop chronyd.service

4. Manually sync xenserver from hwclock to desired ntp servers using below command

# ntpdate 0.xenserver.pool.ntp.org

Use below command for Citrix Hypervisor 8.1 and 8.2

# chronyd -q 'server 0.xenserver.pool.ntp.org iburst'

5. Started ntpd service

service ntpd start

It will Sync the host to NTP servers now.

Use below command to start chronyd service

systemctl start chronyd

Related:

TLS handshake fails with any TLS LB VIP FIPS 9700 – Reset code 9811 from ADC

Daylight savings time changed and NTP Servers out-of sync with ADC.

Time mismatch between client-server created by Daylight saving time 2020 began at 2:00 AM Time stamp mismatch in client-server created by Daylight Saving time change and out-of sync NTP server.

TLS is time sensitive, ADC detects a time mismatch and teardown TLS Session sending a RESET with Code 9811

Note regarding REST code 9811

=============================

As part of TLS handshake :: After a “Change Cipher Spec” message from Client machine, ADC should send back another “Change Cipher Spec” confirming the newly created TLS Session, but instead ADC sends a RESET message with RESET code :: 9811 because it detected a time stamps mismatch.


Following this article :: NetScaler Reset Error Codes

https://support.citrix.com/article/CTX200852

Reset code 9811 means :: NSDBG_RST_ERRHANDLER: This reset code is used with SSL. After sending a Fatal Alert, the NetScaler sends a RST packet with this error code. If the client does not display any supported ciphers to the NetScaler appliance, the appliance sends a Fatal Alert and then this RST packet.

In this case this error code is deceiving because the client machine did displayed ciphers available to ADC, but ADC found a mismatch in Time Stamp TLS Session-ID and invalidates the Session.

Cipher used on this Session was :: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Handshake Protocol: Server Hello

Handshake Type: Server Hello (2)

Length: 87

Version: TLS 1.2 (0x0303)

Random: 5e66690d10ed940e434f5ef414065933aac401eaf2806ad7…

Session ID Length: 32

Session ID: 1a1ff2f6e4aaa45336d6c8f3454892b324fea21528474cce…

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Compression Method: null (0)

Extensions Length: 15

Extension: application_layer_protocol_negotiation (len=11)

Related:

NTP Configuration on NetScaler to Avoid Traffic Amplification Attack

This article has information on configuring Network Time Protocol (NTP) on NetScaler to prevent traffic amplification attack.

Requirements

Good understanding of NetScaler and NTP.

Background

NTP amplification attack might appear in security scans.

Instructions

To configure NTP on NetScaler to prevent traffic amplification attacks, complete the following step:

  1. Replace the following line (if it exists) in “ntp.conf” file with those mentioned in Step 2:

    > restrict default ignore

  2. Add the following lines in file “/etc/ntp.conf”:

    # By default, exchange time with everybody, but don’t allow configuration:

    restrict -4 default kod notrap nomodify nopeer noquery

    restrict -6 default kod notrap nomodify nopeer noquery

    # Local users may interrogate the ntp server more closely:

    restrict -4 127.0.0.1

    restrict -6 ::1

  3. Restart NTP using the following command:

    root@ns# sh /mpsconfig/ntpd_start

Additional Resources

CVE-2013-5211- Vulnerability Summary for CVE-2013-5211

Related:

Cisco NX-OS Software Network Time Protocol Denial of Service Vulnerability

A vulnerability in the Network Time Protocol (NTP) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to excessive use of system resources when the affected device is logging a drop action for received MODE_PRIVATE (Mode 7) NTP packets. An attacker could exploit this vulnerability by flooding the device with a steady stream of Mode 7 NTP packets. A successful exploit could allow the attacker to cause high CPU and memory usage on the affected device, which could cause internal system processes to restart or cause the affected device to unexpectedly reload.

Note: The NTP feature is enabled by default.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ntp-dos

Security Impact Rating: Medium

CVE: CVE-2019-1967

Related:

  • No Related Posts

Behavior of 'Preferred' Option when two NTP servers are added

The Prefer option is an NTP level setting. Not only the ADC, but all devices conform to the rules in the RFC : http://doc.ntp.org/3-5.93e/prefer.html

Case 1: When 2 NTP servers are added with preferred option as YES set for both servers.

-It uses mitigation rules defined in the RFC. http://doc.ntp.org/3-5.93e/prefer.html (Please refer to the Mitigation Rules section)

Case 2: When 2 NTP servers are added with preferred option as YES set for one server, and NO for the other server

-The appliance synchronizes with that particular server first which has preferred option as YES.

Related:

NTP not synchronized on Advanced Threat Protection

I need a solution

HI Team,

After running the “status_check” command in Symantec ATP’s CLI i am getting following message:

NTP                                             NOT synchronized!
                                                Please fix NTP configuration, else
                                                the appliance may not function properly.

We are using  Domain Controller (DC) as NTP server. 

As per the symantec KB article:

https://support.symantec.com/en_US/article.TECH250…

if the time servers is a DC, change

*HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfig*

LocalClockDispersion from 10 to 0.

I have cheked the same with DC team but they informed me that only Symantec ATP team only reported the error.

No other applications or services team has reported the issue.

DC team can not do the aforementioned changes in their DC server cause it might impact many applications,services and servers in environment.

Can you guys help me with workaround to fix this issue??

Quick response will be appreciated. 

0

Related:

NTP: Tried all configured servers. Unable to obtain NTP update due to NTP server errors

I need a solution

Hi Team,

We are receving below message intermittently in Event logs. I do checked NTP servers all are responding. DNS also fine.

2019-02-28 02:06:54+08:00CST  “NTP: Tried all configured servers. Unable to obtain NTP update due to NTP server errors.”  0 90000:1 Mailed ntp.cpp:880

Before this message we are receiving DNS error looking up for all NTP servers. Attached snap for the same.

Can you please let me know where can be the issue? Is this bug? How to troubleshooting this issue?

Thanks,

Mayur

0

Related: