Testing NTP for Cameras

[chrisexr]

Hi all,

Having issues keeping the time sync persistent for the ip cams in the network. I setup a NTP server following instructions online and is fairly certain it is working but the ip cams don't seem to be able to talk to it. Is there any way or tool that I can use to test if a connection is established between both cam and server?

Thanks.

 

[VorlonFrog]

Have you closed ports coming from the cameras?
TCP/IP Port 123 needs to be open for the NTP service to operate.

 

[Teken]

I would check the cameras logs if available to see if this metric is captured. If so it will provide more insight about failed to connect vs last successful NTP update.

Almost all cameras have a test or update now button. If you select whatever is available and it doesn’t update you know there’s a problem. This can range from wrong IP, port, firewall rules in place.

It could also be the NTP Server isn’t set up correctly.

 

[IAmATeaf]

When one of my cams clock drifted it took me a while to figure out, I had set the wrong IP address for the NTP server but I must have looked at the setting a hundred times but just couldn’t see the difference between 192.1680.30 and 192.168.1.30. Should have been set to the later so check to make sure you’ve specified the correct IP address.

 

[thejonb]

Actually had a similar issue I solved earlier today...I am pointing to pool.ntp.org with firewall rules. The thing that fixed it for me was to update the DNS server in the camera network settings.

 

[mikeynags]

Hi all,

Having issues keeping the time sync persistent for the ip cams in the network. I setup a NTP server following instructions online and is fairly certain it is working but the ip cams don't seem to be able to talk to it. Is there any way or tool that I can use to test if a connection is established between both cam and server?

Thanks.

Need more info here. What computer is running NTP? Is it windows and have you opened UDP port 123 outbound in the windows firewall so that it can talk to an external time server? What external time server are you using? Have you logged into each camera and changed the IP address of the NTP server to point to the IP of your NTP server?


Sent from my iPhone using Tapatalk

 

[chrisexr]

Hi all,

Thanks for the replies. I am using a Ubuntu 18.04 computer to act as the NTP server.

For the port and firewall, I have these lines:

123/udp ALLOW Anywhere
123/udp (v6) ALLOW Anywhere (v6)

Running ' sudo nmap -sT -sU -p 123 localhost ' returns me:

PORT STATE SERVICE
123/tcp closed ntp
123/udp open ntp

Is there a chance that the port is open but it isn't listening?

I have double-checked the ip address in the camera as well and is pretty sure it is correct, I can also ping to the cameras from the NTP server. The cameras log are not very helpful as they are all 'event begin' and 'event end' which I believe is referring to motion detection by the camera. There is no test button unfortunately, only sync time and save setting. I would check the NTP checkbox but it becomes unchecked in a couple minutes time and the time drift returns.

I set the external time server in the /etc/ntp.conf file to these:

server 0.asia.pool.ntp.org
server 1.asia.pool.ntp.org
server 2.asia.pool.ntp.org
server 3.asia.pool.ntp.org

Running ' sudo ntpdate -u 0.asia.pool.ntp.org ' returns:

31 Jul 15:09:50 ntpdate[31308]: adjust time server 133.243.238.243 offset -0.000535 sec

So i assume it can speak to external time servers. I used a spare laptop to do a 'ntpdate -u ' to my ntp server's ip and it returns the adjust time server message as well.

Actually had a similar issue I solved earlier today...I am pointing to pool.ntp.org with firewall rules. The thing that fixed it for me was to update the DNS server in the camera network settings.

May I ask how did you do this updating? From what I could find, the camera has a primary dns and secondary dns server under the tcp/ip settings (both at 0.0.0.0)

 

[mikeynags]

Anything in the NTP server logs that show the cameras requesting a time synch?


Sent from my iPhone using Tapatalk

 

[Teken]

Hi all,

Thanks for the replies. I am using a Ubuntu 18.04 computer to act as the NTP server.

For the port and firewall, I have these lines:

123/udp ALLOW Anywhere
123/udp (v6) ALLOW Anywhere (v6)

Running ' sudo nmap -sT -sU -p 123 localhost ' returns me:

PORT STATE SERVICE
123/tcp closed ntp
123/udp open ntp

Is there a chance that the port is open but it isn't listening?

I have double-checked the ip address in the camera as well and is pretty sure it is correct, I can also ping to the cameras from the NTP server. The cameras log are not very helpful as they are all 'event begin' and 'event end' which I believe is referring to motion detection by the camera. There is no test button unfortunately, only sync time and save setting. I would check the NTP checkbox but it becomes unchecked in a couple minutes time and the time drift returns.

I set the external time server in the /etc/ntp.conf file to these:

server 0.asia.pool.ntp.org
server 1.asia.pool.ntp.org
server 2.asia.pool.ntp.org
server 3.asia.pool.ntp.org

Running ' sudo ntpdate -u 0.asia.pool.ntp.org ' returns:

31 Jul 15:09:50 ntpdate[31308]: adjust time server 133.243.238.243 offset -0.000535 sec

So i assume it can speak to external time servers. I used a spare laptop to do a 'ntpdate -u ' to my ntp server's ip and it returns the adjust time server message as well.


May I ask how did you do this updating? From what I could find, the camera has a primary dns and secondary dns server under the tcp/ip settings (both at 0.0.0.0)

You can use your default gateway from your router / modem or enter the following known public DNS servers 9.9.9.9 & 8.8.8.8

 

[SpacemanSpiff]

Looks like Ubuntu is successfully running the NTP service.

Consider removing DNS as a possible issue as it relates to your cams. If your Ubuntu box is part of your home network, try entering the Ubuntu IP in the time server field of the camera, if you have not done so already.

 

[IAmATeaf]

Actually had a similar issue I solved earlier today...I am pointing to pool.ntp.org with firewall rules. The thing that fixed it for me was to update the DNS server in the camera network settings.

So are your cams time syncing with the internet? My cams have no access to the internet and are all set to time sync with a local desktop which is my BI machine.

 

[thejonb]

@chrisexr - Please see below for screenshot. Like @Teken said just point to router. I am not using a public DNS since my cameras can not reach the internet - that and I am using PiHole. The PiHole DNS settings are on my router although you could point directly to that IP in the camera settings.



@IAmATeaf - Yes - I am in the process of setting up new system. Old system pointed to BI machine but I also had the time drift and couldn't find a fix.

In my v2 set up I have upgraded my router and switch to Unifi gear. Now I am using VLANS and firewall rules to control traffic. I have three primary networks: Main, IoT, and NoT. Cameras and dumb stuff that doesn't need internet goes on NoT. I'll be more than glad to go into specifics but don't want to hijack the thread. In short firewall rules (using groups or specific IP's and specific ports):

Allow established/related
Allow Main to all VLANS
Allow all local to DNS
Allow all local to NTP
Allow NoT to MQTT
Drop all inter VLAN
Drop all NoT

So far this allows my NoT Network to access to NTP but nothing else. Still a WIP as I am slowly trying to lock down IoT devices based on our use and convert these to be NoT devices.

 

[SpacemanSpiff]

It was my understanding that you're creating your own (local) NTP server to facilitate keeping your cameras in sync. Yet your screenshot show your camera pointing to the internet for NTP services.

Is your NTP (Ubuntu) server also your PiHole server?

test one of your cams: enter the IP address of your NTP server in the NTP Server field on the camera

 

[mikeynags]

You can use your default gateway from your router / modem or enter the following known public DNS servers 9.9.9.9 & 8.8.8.8

Why would he point there? Those are dns IP addresses not NTP.


Sent from my iPhone using Tapatalk

 

[Teken]

Why would he point there? Those are dns IP addresses not NTP.


Sent from my iPhone using Tapatalk

I provided that information to the OP because he asked. Given his NTP server is going out to the Internet and his DNS shows 0.0.0.0. It’s a logical trouble shooting step to see what the results are.

If the target computer is believed to have stale or bad DNS entries I would have also suggested a flush DNS and Renew. As another member noted the Linux server hosting the NTP Server that IP Address should have been used.

Given not a lot of facts are being provided up front it’s everyone throwing out ideas in hopes of finding a break fix / end solve!

If I was standing there the first thing I would do is validate a single camera can reach out to the internet by using a known NTP server.

If so great move forward. If not identify root cause and move forward. When the network topology hasn’t been made known to the general public it’s just throw things out to see if it sticks.

When firewalls, VLAN, double NAT, self hosted, is present it’s going to be a shit show to determine.

People need to follow KISS.

 

[mikeynags]

I provided that information to the OP because he asked. Given his NTP server is going out to the Internet and his DNS shows 0.0.0.0. It’s a logical trouble shooting step to see what the results are.

If the target computer is believed to have stale or bad DNS entries I would have also suggested a flush DNS and Renew. As another member noted the Linux server hosting the NTP Server that IP Address should have been used.

Given not a lot of facts are being provided up front it’s everyone throwing out ideas in hopes of finding a break fix / end solve!

If I was standing there the first thing I would do is validate a single camera can reach out to the internet by using a known NTP server.

If so great move forward. If not identify root cause and move forward. When the network topology hasn’t been made known to the general public it’s just throw things out to see if it sticks.

When firewalls, VLAN, double NAT, self hosted, is present it’s going to be a shit show to determine.

People need to follow KISS.

OK - don't see where the DNS was returning 0.0.0.0. Above on the sudo ntpdate command , he gets a response of 133.243.238.243 so it reads as though the DNS name resolution was working OK. I was also assuming that the cams were pointed to the internal NTP box. I don't believe we ever got confirmation on the cams pointing to the internal NTP box or anything on the logging. Agreed on trying to reverse engineer what someone has built without all the details

 

[chrisexr]

Thx for the help everyone.

This is a lot of info to process. Sorry, but these networking things isn't really my strong suit.
May I ask what is an internal NTP box? Is it referring to my Ubuntu machine?

How the cams are connected:
My cams are connected via lan cables to a switch, which are then connected to my Ubuntu machine (with NTP server installed) and router.

I changed the dns settings with the primary pointing to the Ubuntu machine (192.1682.101) but the time still drifted. Do I have to configure anything on the router instead?




I googled for pihole and I am certain I don't have that on my Ubuntu.

Anything in the NTP server logs that show the cameras requesting a time synch?


Sent from my iPhone using Tapatalk

Sorry to ask this but how do I setup the logs? I googled a bit now have the 'logfile /var/log.ntp.log' line in the ntp.conf and created the corresponding log file as well. No logs came into the log file.

 

[mikeynags]

Did you restart the NTP service after making the log file changes to the config?

 

[SpacemanSpiff]

In your last post you mention:

...
May I ask what is an internal NTP box? Is it referring to my Ubuntu machine?

I will answer you with your own previous post:

Hi all,

Thanks for the replies. I am using a Ubuntu 18.04 computer to act as the NTP server.

According to your own posts, you are running an NTP server on Linux Ubuntu 18.04.

Have you entered the IP address of the Ubuntu machine in the NTP Server field on the camera yet?

 

[Teken]

I would also add the DNS address should be confirmed. On a Windows computer open the command prompt: CMD

Enter: ipconfig or ipconfig /all to see a more verbose details. Generally speaking the DNS will come from the Router / ISP Modem. There’s nothing stopping anyone to use a public DNS such as Quad Nine 9.9.9.9 as this service and others provide an extra layer of security, reliability indexing, and fault tolerance.

Many use Googles public DNS such as 8.8.8.8 / 8.8.4.4 for the same reasons.

As it pertains to NTP addresses you should have no less than three NTP Servers that are validated as operating with high accuracy and offer low latency. Meaning your local Linux NTP Server should have at least three different servers besides the same Asia one.

There are at least four ways to obtain accurate time keeping many rely on NTP. The vast majority simply rely on their system being able to go out to the internet and connect to a known NTP Server. Next is what you’re doing which is propping up a local NTP Server but relies on the Internet to again connect and sync to a reliable NTP Server.

When people are really serious they use a local NTP Server that connects to orbital GPS satellites. Going this route negates the need for any internet connection and increases security ten fold as there is zero reliance on anyone besides the GPS satellites orbiting the Earth.

Sometimes people will incorporate Internet based NTP Servers to provide an extra layer of redundancy and fail over in case of bad weather impacting the GPS antenna.

Going this route offers an extremely robust time keeping system that your homes electronics can rely on.

Government and large institutions build and use the so called Atomic Clock which we all rely upon to keep time.

Regardless of what NTP Server you use keep in mind your system should never ping and try to connect in short intervals because different services can and will block your connection if it believes your trying to DDOs their network.