NTP Synchronization

This section provides information about how to set and monitor NTP on your Oracle® Enterprise Session Border Controller.

When an NTP server is unreachable or when NTP service goes down, the Oracle® Enterprise Session Border Controller generates traps for those conditions. Likewise, the Oracle® Enterprise Session Border Controller clears those traps when the conditions have been rectified. The Oracle® Enterprise Session Border Controller considers a configured NTP server to be unreachable when its reach number (whether or not the NTP server could be reached at the last polling interval; successful completion augments the number) is 0. You can see this value for a server when you use the ACLI show ntp server command.

The traps for when a server is unreachable and then again reachable are: apSysMgmtNTPServerUnreachableTrap and apSysMgmtNTPServerUnreachableClearTrap
The traps for when NTP service goes down and then again returns are: apSysMgmtNTPServiceDownTrap and apSysMgmtNTPServiceDownClearTrap

Note:

The Oracle® Enterprise Session Border Controller does not support NTP service over wancom0 when that interface is configured for a VLAN.

Setting NTP Synchronization

When the ESBC requires time-critical processing, you can set NTP for time synchronization. Setting NTP synchronizes both the hardware and the software clocks with the reference time from an NTP server that you specify. NTP is most useful for synchronizing multiple devices located on one network, or across many networks, to a reference time standard.

To guard against NTP server failure, NTP is restarted periodically to support the dynamic recovery of an NTP server.

Note that ntp-sync works only by way of the management interface and only on wancom0. Do not configure ntp-sync by way of the media interface or any other port.

To set NTP synchronization:

In the ACLI’s configure terminal section, type ntp-sync and then press Enter to access the NTP configuration.
```
ORACLE# configure terminal
ORACLE(configure)# ntp-sync
ORACLE(ntp-config)#
```
To add an NTP server, type add-server, the Space bar, then the FQDN, IPv4, or IPv6 address of the server and then press the Enter key.
For FQDN configuration, see FQDNs for Time Servers on the ESBC below.

For example, this entry adds the NTP server at the Massachusetts Institute of Technology in Cambridge, MA:
```
ORACLE(ntp-config)# add-server 18.26.4.105
```
To delete an NTP server, type delete-server, the Space bar, and the IPv4 or IPv6 address of the server you want to delete and then press the Enter key.
```
ORACLE(ntp-config)# del-server 18.26.4.105
```

FQDNs for Time Servers on the ESBC

You can configure the ESBC with an FQDN for establishing communications with NTP time servers. This feature supports FQDN resolution through a DNS query over wancom or media interfaces. Having received DNS resolution for the query, the ESBC uses its standard selection process for DNS results to request time synchronization from one of multiple, redundant NTP servers.

The ESBC includes a DNS client that it uses for FQDN resolution purposes within several contexts, including NTP server address resolution. You set the system to use FQDN resolution for NTP servers by configuring the add-server parameter in the ntp-config with an FQDN.

The ESBC includes DNS configuration on network-interface elements to provide resolution services for any specific realm. For NTP, you can specify the realm you want to use to access DNS services within the ntp-config. The system can then use the network-interface configuration associated with that realm to make the DNS queries.

Other elementary ntp-config configuration detail includes:

You cannot configure the add-server parameter with both IP addresses and an FQDN.
You cannot configure add-server parameter with multiple FQDNs.
A change to a network-interface always requires a reboot for the change to take effect. A change to the ntp-config, which impacts the network-interface, also requires a reboot for changes to take effect.

When configured with an FQDN, the ESBC:

Triggers the time synchronization process either after a reboot or the system's periodic NTP daemon restart.

Note:
This is also true when configured with an IP address.
Issues a DNS request out the configured realm. This DNS SRV query uses the _ntp._udp prefix to specify the resolution type.
Receives the SRV response from the DNS server, which includes the associated A records of IP addresses, and may or may not include priority.
Provides its NTP client with the addresses it receives, either ordered by priority or in the same sequence as the DNS response.
Issues an NTP synchronization request to the NTP server(s).
Receives the NTP response.
Synchronizes time.

Important operational detail includes the ability of the ESBC to:

Retry NTP server resolution after periodic intervals if the SRV FQDN lookup resolution fails.
Retrieve TTL timing for each NTP resolution from the DNS response and retry this connection if and when this timer expires.
Update the new IP List if there are any IP changes in the DNS Response.
Apply priority provided within the DNS Response to decide the order of IP addresses it attempts to contact.
Contact IP addresses using the sequential order presented in the DNS records if there is no priority provided.

Important configuration detail includes:

You must configure the dns-ip-primary, dns-ip-backup1 and dns-domain parameters on the realm's network-interface,
You must configure the DNS-realm parameter when configured for FQDN in your ntp-config. This realm object must be attached to the network-interface with your DNS server configuration, which must be attached to the applicable phy-interface.
If you want to use a media interface's realm for NTP SRV FQDN Resolution, you must configure that network-interface for DNS, and you must configure the ntp-config with that realm name.
If you want the NTP SRV FQDN resolution to use wancom0, additional configuration detail includes:
- If you want to reach DNS servers in the same subnet range as the wancom0 address, you must configure the phy-interface name to begin with the “wancom0” prefix and set the operation-type to maintenance.
  For example, the name "wancom0ntp" would be correct.
- You must create and attach a wancom0 network-interface to a wancom0 phy-interface.
- You must configure your wancom0 network-interface with the same IP addressing as your boot parameters and include DNS server configuration.

Configuration

You configure this functionality using the add-server parameter within the ntp-config. Required configuration includes setting the add-server parameter to a text name and the realm-id to the realm you want to use for DNS resolution.

ORACLE(configuration)#ntp-sync
ORACLE(ntp-config)#add-server example.ntp.com
ORACLE(ntp-config)#realm-id wancom0realm

You may find it useful to create a realm specifically for this NTP FQDN resolution. Realms exclusively for NTP resolution are supported over both wancom0 or media interfaces. The following steps apply to creating an NTP resolution specific realm over wancom0.

Create a new physical-interface using the text "wancom" as the prefix to its name, and set its operation-type type to maintenance.
Create a network-interface for this physical-interface.
- Configure the network-interface with your DNS Server configuration.
- Configure the network-interface with the same IP addressing values that you use within your boot parameters.
Create a realm-config and attach it to this network-interface.

Resolution Process

Regardless of the interface you use to perform FQDN resolution for your NTP servers, the ESBC performs the same DNS procedures to get and use the resolutions.

The ESBC uses your configuration to reach DNS servers sequentially. The ESBC extracts server information from the first successful DNS response and drops any subsequent responses. Information extracted for NTP purposes includes:

IP address(es) of NTP servers—One or more addresses, based on the responding server's data.
Priority—Each IP address can include a priority, which the ESBC uses to establish a connection attempt order. The ESBC uses the sequence of the resolutions in the DNS response when addresses have the same or no priority.
Calculated minimum TTL—Each IP address includes a time to live value.

The ESBC establishes the minimum value of the timer and starts it. When the timer expires, the ESBC sends a new SRV-query to refresh its NTP server list. When it receives the response, the ESBC stores the DNS results and rebuilds the NTP list, sorted based on priority or response sequence.

The ESBC behaviors above are dependent on the DNS response:

Single IP address received—Priority is irrelevant and the ESBC simply delivers the received address to the NTP daemon.
Multiple IP addresses received—The lowest priority value is the highest priority server. For addresses presented with the same priority, the ESBC uses the DNS server list's order as the order to attempt contact with servers.
Error/No Response—If the ESBC receives an error response or no response to the SRV-query, it starts an internal DNS retry timer before it attempts to contact the servers. Also, if it finds the primary DNS Server is down, the ESBC retries using your configured backup DNS Servers.
TTL below 30 secs—If the ESBC receives TTL that is less than 30 secs for any IP address, it uses 30 seconds as the TTL. This ensures that the system does not become overloaded by an incorrect configuration.

Configuring NTP Using an FQDN - Wancom

These instructions include the specific steps that apply to configuring a wancom interface as the source for synchronizing system time with an NTP server.

Although this is an ACLI procedure, you can perform this procedure using equivalent procedures with supported management interfaces.

You must have enabled the sip-config.

Configure an applicable phy-interface.
Configure your phy-interface, name using the text “wancom” as its prefix. If not, the system throws a verify-config error.
```
ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)# phy-interface
ORACLE(phy-interface)# name wancom_ntp
ORACLE(phy-interface)# operation-type Maintenance
```
Retain the defaults for all other parameters.
Configure an applicable network-interface.
Note:
In a normal network interface setup, the pri-utility-addr and sec-utility-addr parameters are configured. However, for a wancom interface, you must leave these parameters unconfigured.
Create a network-interface for your phy-interface. Configure that interface with the same ip-address, netmask and gateway used in your system's equivalent boot parameters. The DNS Server IP’s/IP and domain name must reachable from this network.
```
ORACLE(system)# network-interface
ORACLE(network-interface)# name wancom_ntp
ORACLE(network-interface)# ip-address 10.196.179.2
ORACLE(network-interface)# netmask 255.255.128.0
ORACLE(network-interface)# gateway 10.196.128.1
ORACLE(network-interface)# dns-ip-primary 10.196.177.83
ORACLE(network-interface)# dns-domain ntp.com
```
Note:
If your network-interface values are not the same as your system's boot parameters, you lose SSH connectivity.

Configure an applicable realm.

Create a wancom realm and attach the network-interface.

ORACLE# configure terminal
ORACLE(configure)# media-manager
ORACLE(media-manager)# realm-config
ORACLE(realm-config)# identifier wancom_realm
ORACLE(realm-config)# network-interfaces wancom_ntp:0.4

Create an NTP Configuration.
Create an ntp-config using an FQDN and attach the realm.
```
ORACLE(configure)# ntp-sync
ORACLE(ntp-config)# add-server example.ntp.com
ORACLE(ntp-config)# dns-realm wancom_realm
```

Configuring NTP Using an FQDN - Media Interfaces

These instructions include the specific steps that apply to configuring a media interface as the source for synchronizing system time with an NTP server.

You can use an existing realm if you have configured its network-interface with DNS parameters. Follow these steps to create a media realm dedicated to NTP services.

You must have enabled the sip-config.

Configure an applicable phy-interface.

Leave the undocumented parameters at their defaults.

ORACLE(configure)#system-config
ORACLE(system-config)#phy-interface
ORACLE(phy-interface)#name M00
ORACLE(phy-interface)#operation-type Media

Configure an applicable network-interface and attach it to your phy-interface.

Create a network-interface for your phy-interface. The DNS Server IP’s/IP and domain name must reachable from this media interface subnet.

ORACLE(configure)#system-config
ORACLE(system-config)#network-interface
ORACLE(network-interface)#name M00
ORACLE(network-interface)#sub-port-id 33.4
ORACLE(network-interface)#ip-address 192.168.203.10
ORACLE(network-interface)#netmask 255.255.0.0
ORACLE(network-interface)#dns-ip-primary 192.168.203.1
ORACLE(network-interface)#dns-domain ntp.com

Configure your realm.
Create a realm-config and attach the network-interface.
```
ORACLE(configure)#media-manager
ORACLE(media-manager)#realm-config
ORACLE(realm-config)#identifier ntp_access
ORACLE(realm-config)#network-interfaces M00:33.4
```
Note:
If you configure an FQDN, such as example.ntp.com, from the add-server parameter, the system adds the prefix _ntp._udp.example.ntp.com to the DNS request. You must also ensure that the DNS database includes the _ntp_udp prefix.

Run the command below to verify access to DNS services.
```
ORACLE# show dns query access SRV _ntp._udp.example.ntp.com
DNS Result:
Query Name -->SRV:_ntp._udp.example.ntp.com
Answers -->10.196.177.83: 5060/UDP Hl= 100
```

Configure an NTP configuration.

Create an ntp-config using an FQDN and attach the realm.

ORACLE# configure terminal
ORACLE(configure)# ntp-sync
ORACLE(ntp-config)# add-server example.ntp.com
ORACLE(ntp-config)# dns-realm ntp_access

Run the commands below to verify NTP synchronization and access to the DNS server the ESBC selected.

ORACLE# show ntp status
NTP synchronized to server at: 10.196.177.83

ORACLE# show ntp server
NTP Status Tue Apr 19 10:31:34 GMT 2022MS server st poll reach LastRx LastSample
        <LastOffset>[<ActualOffset>]+/-<Error>-- 
^ti 10.196.177.83 4 2 377 4 -95us[ -109us] +/- 67ms
^- 10.196.177.181 4 2 377 4 -95us[ -109us] +/- 67ms +85us[ +71us] +/- 93ms

Authenticated NTP

The Oracle® Enterprise Session Border Controller can authenticate NTP server requests using MD5. The configured MD5 keys are encrypted and obscured in the ACLI. You configure an authenticated NTP server with its IP address, authentication key, and the key ID. Corresponding key and key IDs are provided by the NTP server administrator.

To configure an authenticated NTP server:

Access the ntp-config configuration element.

ORACLE# configure terminal
ORACLE(configure)# ntp-sync
ACMEPACKET(ntp-config)#

Type select.
```
ORACLE(ntp-config)# select
```

Access the auth-servers configuration element

ORACLE(ntp-config)# auth-servers
ORACLE(auth-servers)#

ip-address — Enter the IPv4 or IPv6 address of the NTP server that supports authentication.
key-id — Enter the key ID of the key you enter in the next step. This value’s range is 1 - 999999999.
key — Enter the key used to secure the NTP requests. The key is a string 1 - 31 characters in length.
Type done to save your work.
Type exit to return to the previous configuration level.
Type done to save the parent configuration element.

Monitoring NTP from the ACLI

NTP server information that you can view with the show ntp server command tell you about the quality of the time being used in terms of offset and delays measurements. You can also see the maximum error bounds.

When you use this command, information for all configured servers is displayed. Data appears in columns that are defined in the table below:

Display Column	Definition
server	Lists the NTP servers configured on the Oracle® Enterprise Session Border Controller by IP address. Entries are accompanied by characters: Plus sign (+)—Symmetric active server Dash (-)—Symmetric passive server Equal sign (=)—Remote server being polled in client mode Caret (^)—Server is broadcasting to this address Tilde (~)—Remote peer is sending broadcast to * Asterisk (*)—The peer to which the server is synchronizing
st	Stratum level—Calculated from the number of computers in the NTP hierarchy to the time reference. The time reference has a fixed value of 0, and all subsequent computers in the hierarchy are n+1.
poll	Maximum interval between successive polling messages sent to the remote host, measured in seconds.
reach	Measurement of successful queries to this server; the value is an 8-bit shift register. A new server starts at 0, and its reach augments for every successful query by shifting one in from the right: 0, 1, 3, 7, 17, 37, 77, 177, 377. A value of 377 means that there have been eight successful queries.
delay	Amount of time a reply packet takes to return to the server (in milliseconds) in response.
offset	Time difference (in milliseconds) between the client’s clock and the server’s.
disp	Difference between two offset samples; error-bound estimate for measuring service quality.

View Statistics

To view statistics for NTP servers:

At the command line, type show ntp server and press Enter.

ORACLE# show ntp server
NTP Status                                    FRI APR 11:09:50 UTC 2007
 server                 st  poll  reach   delay    offset     disp
----------------------- --  ----  ------  -------  --------   ---------
*64.46.24.66             3    64     377  0.00018  0.000329   0.00255
=61.26.45.88             3    64     377  0.00017  0.002122   0.00342

You can the see the status of NTP on your system by using the show ntp status command. Depending on the status of NTP on your system, one of the following messages will appear:

NTP not configured
NTP Daemon synchronized to server at [the IP address of the specific server]
NTP synchronization in process
NTP down, all configured servers are unreachable

View Status

To view the status of NTP on your Oracle® Enterprise Session Border Controller:

At the command line, type show ntp status and press Enter.
```
ORACLE# show ntp status
```