Test NTP on VMware host

RogerSpraggon · Post by **RogerSpraggon** » Tue Aug 08, 2017 5:18 pm

I am having some trouble with my Windows Domain controllers occasionally getting wrong time and I suspect it is to do with VMware host (even though I have turned off all options to sync with host) and I want to set up an NTP test in HostMonitor to check the time on the VMware host but I can't get the normal NTP test to work. Is there a way to get this to work for VMware Host (Linux)?

KS-Soft · Post by **KS-Soft** » Tue Aug 08, 2017 5:32 pm

What exactly means "I can't get NTP test to work"?
What test status do you see? No answer? Unknown? Bad? Host is alive?
Reply value?
HostMonitor version?

ntpd service running on Linux?
firewall allows connection from HostMonitor?
correct port specified?

Regards
Alex

RogerSpraggon · Post by **RogerSpraggon** » Tue Aug 08, 2017 8:40 pm

I am using HostMonitor "NTP test"
Result is "No answer"
HM Version is 10.08
NTP client is running on VMware host
ntpClient firewall rule is "enabled" and UPD 123 reports as "Listening or Filtered"
Port is 123

KS-Soft · Post by **KS-Soft** » Wed Aug 09, 2017 5:49 am

Sorry, I have no idea what is wrong on your system.
May be you enabled firewall rule for wrong interface?
May be you are using wrong IP in test settings?
Try to use strace and tcpdump to check what is going on...

Regards
Alex

RogerSpraggon · Post by **RogerSpraggon** » Wed Aug 09, 2017 9:32 pm

It appears that the VMware ESXi host firewall is blocking the incoming NTP requests from HM since if I disable the firewall then the HM NTP test works.
I don't want to disable the entire firewall; I just have to tweak the firewall to accept incoming UDP 123; not straightforward with VMware and ESXi.
If I manage to get the configuration right I'll post an update in case someone else is trying to do same thing in the future

KS-Soft · Post by **KS-Soft** » Thu Aug 10, 2017 9:54 am

Check /etc/vmware/firewall/service.xml file.

You may change existing rule for NTP port or create new one like
<service id="123">
<id>NTP</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>123</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
Note: service id must be unique

Please check VMWare docs for details
https://kb.vmware.com/selfservice/micro ... Id=2008226

Regards
Alex

RogerSpraggon · Post by **RogerSpraggon** » Thu Aug 10, 2017 9:32 pm

I found this too and applied a new rule but it isn't persistent after a reboot.
You need to run the following 2 commands after making change:
tar -cvzf vnasfw.tgz /etc/vmware/firewall/service.xml
BootModuleConfig.sh --add=vnasfw.tgz
the following article explains the whole process:
http://cormachogan.com/2014/03/28/addin ... s-to-esxi/

KS-Soft · Post by **KS-Soft** » Fri Aug 11, 2017 7:48 am

Thank you

Regards
Alex