View previous topic :: View next topic |
Author |
Message |
RogerSpraggon
Joined: 19 Mar 2012 Posts: 59
|
Posted: Tue Aug 08, 2017 5:18 pm Post subject: Test NTP on VMware host |
|
|
I am having some trouble with my Windows Domain controllers occasionally getting wrong time and I suspect it is to do with VMware host (even though I have turned off all options to sync with host) and I want to set up an NTP test in HostMonitor to check the time on the VMware host but I can't get the normal NTP test to work. Is there a way to get this to work for VMware Host (Linux)? |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Tue Aug 08, 2017 5:32 pm Post subject: |
|
|
What exactly means "I can't get NTP test to work"?
What test status do you see? No answer? Unknown? Bad? Host is alive?
Reply value?
HostMonitor version?
ntpd service running on Linux?
firewall allows connection from HostMonitor?
correct port specified?
Regards
Alex |
|
Back to top |
|
|
RogerSpraggon
Joined: 19 Mar 2012 Posts: 59
|
Posted: Tue Aug 08, 2017 8:40 pm Post subject: |
|
|
I am using HostMonitor "NTP test"
Result is "No answer"
HM Version is 10.08
NTP client is running on VMware host
ntpClient firewall rule is "enabled" and UPD 123 reports as "Listening or Filtered"
Port is 123 |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Wed Aug 09, 2017 5:49 am Post subject: |
|
|
Sorry, I have no idea what is wrong on your system.
May be you enabled firewall rule for wrong interface?
May be you are using wrong IP in test settings?
Try to use strace and tcpdump to check what is going on...
Regards
Alex |
|
Back to top |
|
|
RogerSpraggon
Joined: 19 Mar 2012 Posts: 59
|
Posted: Wed Aug 09, 2017 9:32 pm Post subject: |
|
|
It appears that the VMware ESXi host firewall is blocking the incoming NTP requests from HM since if I disable the firewall then the HM NTP test works.
I don't want to disable the entire firewall; I just have to tweak the firewall to accept incoming UDP 123; not straightforward with VMware and ESXi.
If I manage to get the configuration right I'll post an update in case someone else is trying to do same thing in the future |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Thu Aug 10, 2017 9:54 am Post subject: |
|
|
Check /etc/vmware/firewall/service.xml file.
You may change existing rule for NTP port or create new one like
<service id="123">
<id>NTP</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>123</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
Note: service id must be unique
Please check VMWare docs for details
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2008226
Regards
Alex |
|
Back to top |
|
|
RogerSpraggon
Joined: 19 Mar 2012 Posts: 59
|
Posted: Thu Aug 10, 2017 9:32 pm Post subject: |
|
|
I found this too and applied a new rule but it isn't persistent after a reboot.
You need to run the following 2 commands after making change:
tar -cvzf vnasfw.tgz /etc/vmware/firewall/service.xml
BootModuleConfig.sh --add=vnasfw.tgz
the following article explains the whole process:
http://cormachogan.com/2014/03/28/adding-bespoke-firewall-rules-to-esxi/ |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Fri Aug 11, 2017 7:48 am Post subject: |
|
|
Thank you
Regards
Alex |
|
Back to top |
|
|
|