I cannot sync with a NTP source thats coming from an internal router/firewall.

Anyone help ?

ntppdate -d
 6 Jun 11:57:30 ntpdate[5011]: ntpdate 4.1.2@1.892 Tue Feb 24 06:32:26 EST 2004 (1)
transmit( Server dropped: strata too high
server, port 123
stratum 16, precision -19, leap 11, trust 000
refid [], delay 0.02591, dispersion 0.00002
transmitted 4, in filter 4
reference time:    00000000.00000000  Thu, Feb  7 2036  6:28:16.000
originate timestamp: d1972e03.0ae02645  Mon, Jun  6 2011 11:44:19.042
transmit timestamp:  d197311b.0ffac1d2  Mon, Jun  6 2011 11:57:31.062
filter delay:  0.02609  0.02591  0.02594  0.02596
         0.00000  0.00000  0.00000  0.00000
filter offset: -792.020 -792.020 -792.020 -792.020
         0.000000 0.000000 0.000000 0.000000
delay 0.02591, dispersion 0.00002
offset -792.020152

 6 Jun 11:57:31 ntpdate[5011]: no server suitable for synchronization found


The server I'm being asked to sync to is a firewall , and I've now been told that it is not syncing with anything. So I suppose I need to know if I can force my server to sync with a server that is stratum 16 i.e not sync'd. Is that possible ?

  • 901
  • 2
  • 14
  • 26

5 Answers5


I have found that attempting to change the stratum of a server in the client side ntp.conf with a

fudge <server_ip> stratum <number_less_than_16>

does not work.

However, if you can access the ntp.conf on the server (the machine running ntpd) and add the following lines

fudge stratum 8

it is able to fudge itself ( is the local ntpd server address, 8 is a number less than 16) (remember to restart ntpd).

You can then successfully run ntpdate on the client (ntpdate <server_ip>).

  • 111
  • 1
  • 2

NTP increases the stratum for each level in the hierarchy - a NTP server pulling time from a "stratum 1" server would advertise itself as "stratum 2" to its clients.

A stratum value of "16" is reserved for unsynchronized servers meaning that your internal NTP server at thinks not to have a reliable timesource (i.e. not synchronizing to a higher-level stratum server).

You would need to do some debugging there - if it is a Linux server using ntpd, look at the output of ntpq peers for clues for possible reasons

  • 40,319
  • 13
  • 105
  • 169
  • 2
    You are correct , I've now been told the firewall is not sync'ing with anything. Can I forcemy server to sync with the firewall anyway ? – AndyM Jun 06 '11 at 12:14
  • 1
    Don't know about any simple NTP client ignoring the stratum value. Using a full-fledged ntpd you can set the stratum of the server you are syncing to via the `fudge stratum ` directive - it would be regarded an accepted and synchronized time source by your local ntpd then. But this is far from being elegant. – the-wabbit Jun 06 '11 at 14:21
  • 2
    Better than forcing your clients to sync with a server at stratum 16 would be to force the router to be something like stratum 10. If you can access the config file on your router you will want to add something like this to it: server # local clock fudge stratum 10 # local stratum – Ladadadada Aug 08 '11 at 09:19

Well, the error message does say it quite clearly: "stratum too high". In essence your ntpdate is telling you that your time server is too far down the hierarchy to be reliable. There is a line the printout that shows it:

stratum 16, precision -19, leap 11, trust 000

I have no idea how you got there, but a stratum 16 time server is 15 levels removed from the stratum 1 servers, and that is a lot. You might want to try and find out why that is the case. In our company network, most machines synchronize to the linux gateways, which are connected to stratum 3 servers (which makes them stratum 4) or the domain controllers (same). You'd have to have a really complicated network setup to reach stratum 16.

  • 8,767
  • 3
  • 29
  • 34
  • Thanks ,i've edited the question , now I've found that the firewall is not sync'd with anything. – AndyM Jun 06 '11 at 12:18
  • Well, in that case you can't use it for ntp at all. You'll need to see whether you can connect to an outside ntp server. Go to ntp.org and find a suitable server in your vicinity and see whether you can use it. If your firewall doesn't allow this, then ask your sysadmins how the hell they expect this to work. – wolfgangsz Jun 06 '11 at 13:04
  • 1
    Stratum 16 is arbitrarily used for unsynchronized servers. – Jeter-work Aug 20 '18 at 17:07
  • The 'server ip.ad.dr.es / fudge ip.ad.dr.es stratum X' where X is an arbritrary number < 16, (@QasiTam's answer) lets you set up an NTP server within a disconnected network where the one machine can be manually synced. – Jeter-work Aug 20 '18 at 17:13

Try running ntpdate tock.usno.navy.mil That is a stratum 1 NTP server ran by the US Naval Observitory. See if you can sync to that, then move forward from that. By any chance is your firewall / router a PFsense box running OpenNTPD?

You can add the -d if you like.

  • 1,965
  • 7
  • 34
  • 55
  • The server has no internet connectivty – AndyM Jun 06 '11 at 12:15
  • No connectivity by admin or no physical internet? – ianc1215 Jun 06 '11 at 12:58
  • I would strongly recommend letting the server have access to the internet on UDP\123 unless it is out of the question entirely, The problem might be with the firewalls time server and not so much the server. Also check to be sure the server has UDP\123 open for NTP traffic. If that is not open NTP will fail which might explain the problems you are having. – ianc1215 Jun 06 '11 at 13:01

There may be a line which starts with restrict default just delete it and restart the service... now run ntpq and then pe

here is my before and after...

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default ignore

and the result is ....

[root@jump ~]# ntpq
ntpq> pe
     remote           refid      st t when poll reach   delay   offset  jitter
 grom.polpo.org  .INIT.          16 u    -   64    0    0.000    0.000   0.000
 skavoovie.net   .INIT.          16 u    -   64    0    0.000    0.000   0.000
 hydrogen.consta .INIT.          16 u    -   64    0    0.000    0.000   0.000
 lttlesis.deekay .INIT.          16 u    -   64    0    0.000    0.000   0.000
ntpq> pe
     remote           refid      st t when poll reach   delay   offset  jitter
 grom.polpo.org  .INIT.          16 u    -   64    0    0.000    0.000   0.000
 skavoovie.net   .INIT.          16 u    -   64    0    0.000    0.000   0.000
 hydrogen.consta .INIT.          16 u    -   64    0    0.000    0.000   0.000
 lttlesis.deekay .INIT.          16 u    -   64    0    0.000    0.000   0.000
ntpq> pe
     remote           refid      st t when poll reach   delay   offset  jitter
 grom.polpo.org  .INIT.          16 u    -   64    0    0.000    0.000   0.000
 skavoovie.net   .INIT.          16 u    -   64    0    0.000    0.000   0.000
 hydrogen.consta .INIT.          16 u    -   64    0    0.000    0.000   0.000
 lttlesis.deekay .INIT.          16 u    -   64    0    0.000    0.000   0.000

now when i comment out that line... (or ANY line that may start with restrict default).. I get...

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default ignore

[root@jump ~]# service ntpd restart
Shutting down ntpd: [  OK  ]
Starting ntpd: [  OK  ]
[root@jump ~]# ntpd
[root@jump ~]# ntpq 
ntpq> pe
     remote           refid      st t when poll reach   delay   offset  jitter
*wiggum.whackert  2 u    3   64    1   29.797   24.402   1.088    2 u    2   64    1   59.319   23.059   8.816
 eterna.binary.n    2 u    1   64    1   67.785   31.427   0.233
 shed.galexander    3 u    -   64    1   21.291   21.746   9.525

ntpq> pe
     remote           refid      st t when poll reach   delay   offset  jitter
*wiggum.whackert  2 u   31   64    1   29.797   24.402   1.088    2 u   30   64    1   59.319   23.059   8.816
 eterna.binary.n    2 u   29   64    1   67.785   31.427   0.233
 shed.galexander    3 u   28   64    1   21.291   21.746   9.525
ntpq> pe
     remote           refid      st t when poll reach   delay   offset  jitter
*wiggum.whackert  2 u   33   64    1   29.797   24.402   1.088    2 u   32   64    1   59.319   23.059   8.816
 eterna.binary.n    2 u   31   64    1   67.785   31.427   0.233
 shed.galexander    3 u   30   64    1   21.291   21.746   9.525

And THAT was the solution to MY problem !!!

  • 72,524
  • 21
  • 127
  • 192