In article <478E40FF.4070708 at gmail.com>, Sean Carolan <scarolan at gmail.com> wrote: > > The zeros in the "reach" column indicate that the server has been unable to > > receive any packets from the upstream servers. > > > > Is your server inside a firewall? If so, perhaps it is blocking NTP traffic. > > You need to have it allow UDP port 123 in both directions. You don't need > > port forwarding from outside to in, since all incoming packets will be replies > > to outgoing packets. > > > > If it is not inside a firewall, perhaps you have iptables on the server itself > > blocking UDP port 123 traffic. > > Fantastic, Tony. This is the information I needed. Our ISP does in fact > block UDP packets and I suspect this is why the sync is failing. > > One question though - how come I can use ntpdate servername to update them by > hand? Shouldn't that be blocked as well? That depends. The ntpdate on my system uses a non-privileged UDP port as the source port, and 123 as the destination. That means the reply from the external server will be coming back to a non-privileged port (above 1024). The ntpd daemon however uses 123 as both source and destination port, and therefore so will replies to it. Maybe the ISP allows incoming UDP packets to non-privileged ports but not to low port numbers like 123. Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org