FOOD FOR THOUGHT Lots of connects to ntp servers

[wa4zlw]

I'm debugging the sip-alg with watchguard so I have some filters on the filter traffic monitor watching the pbx traffic. The pbx seems to be polling various ntp quite often:

2015-01-24 20:30:09 Allow 10.195.13.10 195.50.171.101 ntp/udp 123 123 100-VoIP VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="<public ip>" Traffic
2015-01-24 20:30:09 Allow 10.195.13.10 192.96.207.244 ntp/udp 123 123 100-VoIP VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="<public ip>" Traffic
2015-01-24 20:30:12 Allow 10.195.13.10 212.7.1.131 ntp/udp 123 123 100-VoIP VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="<public ip>" Traffic
2015-01-24 20:30:17 Allow 10.195.13.10 69.167.160.102 ntp/udp 123 123 100-VoIP VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="<public ip>" Traffic

I have two interfaces on the PBX 10.161.51.10 and 10.195.13.10 which is VLAN 100. VLAN 100 handles the voice traffic and has QOS applied.

In any event any idea why the pbx polls so often? Even during a call it is doing this.

PBX in a Flash PURPLE Status Program
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
lqqqqqqqqqqqqqqqqqqqSYSTEM INFORMATION *VERIFIED*qqqqqqqqqqqqqqqqqqqqqk
x Asterisk = ONLINE | Dahdi = ONLINE | MySQL = ONLINE x
x SSH = ONLINE | Apache = ONLINE | Iptables = ONLINE x
x Fail2ban = ONLINE | Internet = ONLINE | Ip6Tables = ONLINE x
x Disk Free = ADEQUATE| Mem Free = ADEQUATE| NTPD = ONLINE x
x Postfix = ONLINE | Samba = ONLINE | Webmin = ONLINE x
x Ethernet0 = ONLINE | Ethernet1 = N/A | Wlan0 = N/A x
x x
x PIAF Installed Version = 2.0.6.4 under *HARDWARE* x
x FreePBX Version = 2.9.0.15 x
x Running Asterisk Version = 1.8.20.1 x
x Asterisk Source Version = 1.8.20.1 x
x Dahdi Source Version = 2.6.2 x
x Libpri Source Version = 1.4.12 x
x IP Address = 10.161.51.10 on eth0 x
x Operating System = CentOS release 6.4 (Final) x
x Kernel Version = 2.6.32-358.2.1.el6.i686 - 32 Bit x
x Incredible PBX 3 Version = 3.1.0 x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj


root@pbx:~ $

Thanks leon

 

[wa4zlw]

BTW this happens without the sip-alg running as it is turned off now due to what seems to be a bug whereby outbound calls gets limited to 17 minutes; I have had an open ticket for a few months and we've been testing all sorts of stuff related to sip.

Leon

 

[TwigsUSAN]

SIP-ALG is normally an issue in any device. That's why it is normally recommended to turn it off.

 

[wa4zlw]

I know that, thanks, but I am testing stuff for Watchguard. I'm more concerned about almost the constant NTP polls.

 

[wardmundy]

There is a security issue with older versions of NTP. You have updated it, right??

 

[wa4zlw]

HI ward...I've done whatever updated that were in pbx-updates. I guess I cluold load up Webmin and see if I am missing anything. thanks for the alert.

Leon

 

[wa4zlw]

updating now...i used to get security alerts from pbx so I set webmin to do auto security updates

will see if ntp keeps polling after all the updates done...thanks.

 

[wa4zlw]

ok I updated a pile of packages and rebooted and now we're dead!
operating system polling again four different ntp servers and still is doing so
2015-01-25 14:21:31 Allow 10.195.13.10 70.35.113.44 ntp/udp 123 123 100-VoIP VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="24." Traffic
2015-01-25 14:21:31 Allow 10.195.13.10 69.50.219.51 ntp/udp 123 123 100-VoIP VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="24." Traffic
2015-01-25 14:21:33 Allow 10.195.13.10 50.115.174.208 ntp/udp 123 123 100-VoIP VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="24." Traffic
2015-01-25 14:21:33 Allow 10.195.13.10 204.2.134.162 ntp/udp 123 123 100-VoIP VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="24." Traffic


PBX in a Flash PURPLE Status Program
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
lqqqqqqqqqqqqqqqqqqqSYSTEM INFORMATION *VERIFIED*qqqqqqqqqqqqqqqqqqqqqk
x Asterisk = OFFLINE | Dahdi = ONLINE | MySQL = ONLINE x
x SSH = ONLINE | Apache = ONLINE | Iptables = ONLINE x
x Fail2ban = ONLINE | Internet = ONLINE | Ip6Tables = OFFLINE x
x Disk Free = ADEQUATE| Mem Free = ADEQUATE| NTPD = ONLINE x
x Postfix = ONLINE | Samba = ONLINE | Webmin = LOADING x
x Ethernet0 = ONLINE | Ethernet1 = N/A | Wlan0 = N/A x
x x
x PIAF Installed Version = 2.0.6.4 under *HARDWARE* x
x FreePBX Version = 2.9.0.15 x
x Running Asterisk Version = UNKNOWN x
x Asterisk Source Version = 1.8.20.1 x
x Dahdi Source Version = 2.6.2 x
x Libpri Source Version = 1.4.12 x
x IP Address = 10.161.51.10 on eth0 x
x Operating System = CentOS release 6.4 (Final) x
x Kernel Version = 2.6.32-358.2.1.el6.i686 - 32 Bit x
x Incredible PBX 3 Version = 3.1.0 x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj


root@pbx:~ $ amportal restart

Fetching FreePBX settings with gen_amp_conf.php..
/usr/local/sbin/amportal: line 49: [FATAL]: command not found

/var/lib/asterisk/bin/freepbx_engine: line 98: [FATAL]: command not found
**** WARNING: ERROR IN CONFIGURATION ****
astrundir in '/etc/asterisk' is set to but the directory
does not exists. Attempting to create it with: 'mkdir -p '

mkdir: missing operand
Try `mkdir --help' for more information.
**** ERROR: COULD NOT CREATE ****
Attempt to execute 'mkdir -p ' failed with an exit code of 1
You must create this directory and the try again.
root@pbx:~ $

any ideas?

thanks leon

 

[wa4zlw]

this is weird it is up now and I didnt do anything except change some static routes

PBX in a Flash PURPLE Status Program
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
lqqqqqqqqqqqqqqqqqqqSYSTEM INFORMATION *VERIFIED*qqqqqqqqqqqqqqqqqqqqqk
x Asterisk = ONLINE | Dahdi = ONLINE | MySQL = ONLINE x
x SSH = ONLINE | Apache = ONLINE | Iptables = ONLINE x
x Fail2ban = ONLINE | Internet = ONLINE | Ip6Tables = ONLINE x
x Disk Free = ADEQUATE| Mem Free = ADEQUATE| NTPD = ONLINE x
x Postfix = ONLINE | Samba = ONLINE | Webmin = ONLINE x
x Ethernet0 = ONLINE | Ethernet1 = N/A | Wlan0 = N/A x
x x
x PIAF Installed Version = 2.0.6.4 under *HARDWARE* x
x FreePBX Version = 2.9.0.15 x
x Running Asterisk Version = 1.8.20.1 x
x Asterisk Source Version = 1.8.20.1 x
x Dahdi Source Version = 2.6.2 x
x Libpri Source Version = 1.4.12 x
x IP Address = 10.161.51.10 on eth0 x
x Operating System = CentOS release 6.4 (Final) x
x Kernel Version = 2.6.32-358.2.1.el6.i686 - 32 Bit x
x Incredible PBX 3 Version = 3.1.0 x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj


root@pbx:~ $

 

[wa4zlw]

hmmm i can not get webmin to change my statics. since I am not 100% a linux nerd whats the easiest way to add and delete routes?

Thanks leon

 

[wa4zlw]

ok i figured it out I am going to try a reboot and see if things stick and if I get the asterisk error again thanks for being patient

 

[wa4zlw]

ok the routes I added in the CLI did not stick but asterisk came up looks like I didnt wait long enough for it to come up earlier. system has been up a long time so I forgot how long it takes whats easiest wat to make my routes stick use webmin or the cli?

 

[wa4zlw]

ok looks like i got it figured out. now to see if ntp polls and where

 

[wardmundy]

Maybe I missed it but... have you always had a firewall protecting this server??

 

[wa4zlw]

yes I have. a few months ago i redid my network from a flat one to using VLANs separating out the data and voice and wifi separately and adding QOS on the voice vlan and haven't had any "voice" issues with data. The only ones were when I started playing with the sip-alg to use for security and then found a bunch of issues so I have been working with Watchguard on them. Now I am still confused as to why after upgrading the OS ntp still sends out the same polls?

always does it in this grouping

2015-01-25 15:40:09 Allow 10.161.51.10 198.211.106.151 ntp/udp 123 123 1-Data VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="24." Traffic
2015-01-25 15:40:12 Allow 10.161.51.10 50.116.55.65 ntp/udp 123 123 1-Data VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="24." Traffic
2015-01-25 15:40:15 Allow 10.161.51.10 66.228.54.198 ntp/udp 123 123 1-Data VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="24." Traffic
2015-01-25 15:40:15 Allow 10.161.51.10 50.115.174.208 ntp/udp 123 123 1-Data VLAN 1-50M Allowed 76 63 (NTP-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="24" Traffic

seems to do this every minute whether a call is in progress of not. sorry for the extra noise earlier. Still light on linux.

Leon

 

[wa4zlw]

I work for windstream in the security operations center and deal with Watchguard CPE firewalls, fortinet CPE and Cloud and cisco NBFWs. Prefer the Watchguards.

ldz

 

[wa4zlw]

looks like this is related to the ntpd server. I shut it down and restarted it and saw the polls going out so I wonder if there is a bug in it?

 

[wa4zlw]

I dont think I need an NTPD running since my router is my local NTP server thoughts?

Leon

 

[wa4zlw]

Hi ward...you never cease to amaze me. Just read your new article on NV. excellent. Regarding this do we need the ntpd running on the pbx when there is one on the local network?

 

[wardmundy]

Thanks. I think ntpd actually keeps your time in sync on the PBX. Without it, the time drift is pretty bad even after a few days. I'm wondering if your firewall may not be blocking NTP packets in one direction or the other. This would explain the repeated requests.