Knowledgebase : Network Time Servers (NTS) > NTS-6002

This is the Hardware Manual for the NTS-6002.

It will provide information regarding the installation and setup of the hardware.

It also covers debugging and troubleshooting the unit.

This is the Web Configuration Manual for the NTS-6002.

It will provide information regarding the setup and configuration of the unit, including the default username and password for the web interface.

This article provides useful information for our customers who wish to setup their devices in redundancy mode. Please note that the information in this article applies to the NTS-6001 and 6002 units only, running Firmware 11 or higher.

If your time server is running a software version older than version 11, you will need to upgrade your device to the latest firmware. The latest firmware brings with it the latest in security, stability and bug fixes. Upgrade instructions can be found here:

NTS-6002 Upgrade Instructions

NTS-6001 Upgrade Instructions

Below are a few redundancy features that our NTP servers offer:

(A)
Teaming
- This method enables both network cards in your NTS-6002 or 6001 to work together as one single card. This provides more bandwidth for the network and redundancy for your NTP server. There are 2 redundant modes for Teaming: Load Balancing and Failover. Load balancing will step in if one network card is under more stress than the other network card. In this case, load balancing will send data to the other network card and effectively balance the load between both network cards. Failover kicks in if one network suddenly becomes offline for whatever reason. Failover will use the second network until the first network is back online. Also, if in rare circumstances the network card becomes faulty, the second network card will take over. Load balancing and failover are both on by default when Teaming is enabled on your NTP server.

(B) Peering – Peering your NTP server to one or more time servers means that if your server loses connection with its antenna, it would synchronise to the peered time server via the Network Time Protocol. In theory, this should prevent disruption to client(s) that your NTP server is serving. What’s good about this option is that you don’t need to purchase another Network Time Protocol server, you could configure peering to a public time server (such as; pool.ntp.org). Providing your server has access to the Internet, this should work fine.

(C) Using Two Time Sources with your NTP server – This method requires two antennas. Here at Galleon Systems, we offer dual time-source NTP servers. Specifically, the NTP server will have both a GPS and Radio antenna connected to it. The NTP server will always favour GPS as a time-source as it is more reliable and accurate than the radio time-source. However, if for whatever reason, the server was to lose connection with its GPS antenna, the unit should switch to the radio time source. MSF is the radio signal for the UK (the signal originates from Cumbria), DCF for Frankfurt, Germany and WWVB for North America.


(A) How to enable Teaming

  1. Navigate to the web interface and login with your credentials. Ensure your device is running software version 11 or above by navigating to the Software Versions page, which is under the Administration tab in the web interface (if you have an NTS-6002, your device will be on version 11).
  2. Ensure you have connected both Ethernet cables which should lead to different switches or routers. Navigate to the Teaming page which is under the Network tab. Enter your network information. For fault tolerance and load balancing, ensure the bond mode is set to 'balance-rr'. Once you have finished configuring the unit, click 'Enable Teaming'.

For changes to take effect, you will need to restart the unit. To confirm if the changes have been taken effect, log into the web interface and view the 'Dashboard'. You should see 'Bonded Network' and all the relevant network information. This can be seen in the print screen below.


(B) How to configure Peering

To peer your NTP server to one or more NTP servers, you need to ensure that the NTP servers can reach each other. If you are peering to an Internet time server, ensure your NTP server has Internet access. You can verify reachability by using the Ping tool which is under the Network Tools tab. If your NTP server is going through a firewall, ensure port 123 over UDP is allowed on your Firewall.

  1. Navigate to the web interface and login with your credentials. From the navigation menu on the left click 'NTP' and then 'NTP Customisation'.
  2. You will now need to type in the IP address of the other NTP Server. Type the following command without quotes 'server 192.168.0.2' and replace the IP in this statement with the IP or hostname of the second NTP Server. If you are peering your NTP server to a pool (for example: pool.ntp.org), the statement would be ‘pool pool.ntp.org’. Replace the hostname in this statement with the hostname or IP of the pool. Once you have completed this step, you can verify if the peer was successful by following the steps below.

Verifying if your NTP server is being assisted

You can confirm if the peering was successful by logging into the web interface and clicking 'NTP' and 'NTP Status'. If there is a '*' next to the IP, it means that this is the current time source. The '+' refers to an NTP Server that is assisting you. If there is a ‘+’ next to the IP address or hostname of the NTP server that you configured peering with, it means you have peered the NTP servers together successfully. You can refer to the screenshot below for more information.

An 'X' is used to indicate an NTP server that has lost connection with its time source, as shown in the print screen below.


(C) Using Two Time Sources with your NTP server

Contact Galleon Systems if you wish to purchase another antenna for your NTP server. Please note that we can only guarantee compatibility with a Galleon NTP server. For more information, fill in our contact form: http://www.galsys.co.uk/contact/


If you have GPS:

1. Navigate to the Web Interface and login with your credentials.

2. From the navigation menu, select Logs and click GPS Antenna Debug.

3. Select Enable Debug. Allow the debugger to run for atleast 1 minute.

4. Select Download Log to download the debug logs to your computer.


If you have Radio:

1. Navigate to the Web Interface and login with your credentials.

2. From the navigation menu, select Logs and click Radio Antenna Debug.

3. Select Enable Debug. Allow the debugger to run for atleast 1 minute.

4. Select Download Log to download the debug logs to your computer.


GPS Debugging Information

When debugging, the following information should be printed on screen:

Jan 19 09:40:40 nts-6002 daemon.debug gpsclkd[820]: Received $GPRMC data 2016/1/19 09:40:40 UTC
Jan 19 09:40:40 nts-6002 daemon.debug gpsclkd[820]: Decoding NMEA string: $GPRMC,094040.000,A,5228.5990,N,00146.2345,W,0.00,,190116,,,A*6E
Jan 19 09:40:39 nts-6002 daemon.debug gpsclkd[820]: Received $GPRMC data 2016/1/19 09:40:39 UTC
Jan 19 09:40:39 nts-6002 daemon.debug gpsclkd[820]: Decoding NMEA string: $GPRMC,094039.000,A,5228.5990,N,00146.2345,W,0.00,,190116,,,A*60
Jan 19 09:40:38 nts-6002 daemon.debug gpsclkd[820]: Received $GPRMC data 2016/1/19 09:40:38 UTC
Jan 19 09:40:38 nts-6002 daemon.debug gpsclkd[820]: Decoding NMEA string: $GPRMC,094038.000,A,5228.5990,N,00146.2345,W,0.00,,190116,,,A*61
Jan 19 09:40:37 nts-6002 daemon.debug gpsclkd[820]: Received $GPRMC data 2016/1/19 09:40:37 UTC

Below is a breakdown of what each string means:

  • $GPRMC - The string will always start with this.
  • 094040 - This is the UTC timestamp in the string. In this case it is 09:40:40
  • A - An A here indicates that the GPS antenna is synchronised to at least 3 satellites. If this is a V then the antenna does not have a lock on 3 satellites yet
  • 5228.5990,N,00146.2345,W - These are your GPS coordinates and are not used by the timeserver
  • 190116 - The current date. In this case it is the 19th January 2016.

If no information is printed to the screen this can indicate either a wiring issue or an antenna problem. If you receive garbled data then this would usually indicate a wiring issue.

If your $GPRMC string contains a V instead of an A then your antenna is not synchronised yet. It can take up to 48 hours to initially synchronise.

Once you have debugged your unit, it is recommended to disable debugging as it can introduce some latency to the GPS parsing.


Radio Debugging Information for MSF

When debugging using the Radio debug, the following information should be printed on the screen:

Jan 19 17:17:00 nts-6002 daemon.debug radioclkd[828]: Decoding MSF: 5111111111111111111112122111112122112121121222112122212232321 [60]
Jan 19 17:16:00 nts-6002 daemon.debug radioclkd[828]: Decoding MSF: 5111111111111111111112122111112122112121121222112122112232221 [60]
Jan 19 17:15:00 nts-6002 daemon.debug radioclkd[828]: Decoding MSF: 5111111111111111111112122111112122112121121222112121212232221 [60]
Jan 19 17:14:00 nts-6002 daemon.debug radioclkd[828]: Decoding MSF: 5111111111111111111112122111112122112121121222112121112232321 [60]

When debugging using the Radio Debugger, the above information should be printed on screen.

  • Decoding MSF - Converting the MSF signal into a language that can be understood.
  • 5 - If your device has a strong signal, it will always start with the number 5.
  • 111222 - These numbers represent the pulse per second.
  • [60] - The total number of pulses per second. 60 represents a valid signal for MSF. Anything less than 60 for MSF means that the signal is invalid.

If there is no pulse per second data printed to the screen then this can indicate either a wiring issue or an antenna problem. If you have less pulses per second then this can indicate poor signal strength in your area or interferance with the antenna.

Once you have debugged your unit, it is recommended to disable debugging as it can introduce some latency to the Radio parsing.

This article contains upgrade instructions for the NTS-6002.

(A) Upgrading via the web interface

1. Log into the Web Interface and navigate to Administration. Select Backup.

2. Click Create Backup and download the backup file to your computer.

3. Download the firmware file from here.

4. From the Web Interface, select Administration from the navigation menu on the left.

5. Select Firmware Update and select the upgrade file.

6. Click the Update button.

The device will now perform the upgrade. Please allow 1 minute for the device to upgrade.

To verify the upgrade was successful, click Software Versions under the Administration tab. Under Operating System, confirm 4.14.14-Galleon-NTS-6002.V12 - #3 is displayed.

For Release Notes, please click here.

This update is available for the following units:

NTS-6002 Firmware: http://box.galsys.co.uk/firmware/nts-6002-firmware.zip

Click here for NTS-6002 upgrade instructions.


NTS-6001 Firmware: http://box.galsys.co.uk/firmware/nts-6001-firmware.zip

Click here for NTS-6001 upgrade instructions.

Please note NTS-6001 units with firmware version eight or below are no longer supported and cannot use this update.


Firmware 12#3

Release Date: 29/01/2018

  • Fixed an issue with Teaming where the system would prevent the user from changing the bond mode.
  • Fixed an issue with the Teaming page not reflecting the current Teaming settings.
  • Resolved a bug where GPS/Radio debugging would not output to the screen due to a bad Mime type.
  • Updated the certificate model to add the CN to the subject alternate names to prevent certificate errors.
  • Fixed an issue where, upon logging in via FQDN, the system would redirect from FQDN to IP address.
  • Fixed an issue with the NMEA Log not displaying errors correctly.
  • Added a Configure SSL page under Administration that will allow users to choose from Secure SSL Configuration and Compatibility Configuration. Secure SSL Configuration will support the TLSv1.2 protocols and modern cipher suites. Compatibility configuration supports the TLSv1.2, TLSv1.1 and TLSv1 protocols along with older SSL cipher suites for compatibility with older clients.
  • Applied mitigations against the Meltdown vulnerability (CVE-2017-5754).
  • Added secure flag to Cookies.
  • Updated Nginx to 1.12.1
  • Updated OpenSSH to 7.6p1
  • Updated OpenSSL to 1.0.2m
  • Updated PHP to 7.1.11
  • Updated CodeIgniter to 3.1.7

Firmware 12#1

Release Date: 13/04/2017

  • XSS headers added to Ngnix
  • Software update available notification added to Dashboard header
  • Incorrect logins recorded under Authentication Log now show in red
  • Updated the leap-seconds.list file to account for the upcoming leap second
  • Updated the Linux kernal to 4.10.9
  • Updated Nginx to 1.10.3
  • Updated OpenSSH to 7.5p1
  • Updated OpenSSL to 1.0.2k
  • Updated NetSNMP to 5.7.3
  • Updated PHP to 7.1.3
  • Updated CodeIgniter to 3.1.4

NTP has been updated to 4.2.8p10@1.3728-o which has the following fixes:

This article will show you how to set up NTP Authentication on your NTS-6002 or 6001.

Note: This article is aimed at NTS-6002/6001 running Firmware 11 or higher. If your unit is running an older firmware, we recommend upgrading the firmware on your unit:

NTS-6002 Upgrade Instructions

NTS-6001 Upgrade Instructions


NTP Authentication allows clients to verify that the time server is trusted before using it as a time source. This prevents clients from applying time from rogue NTP servers on your network. Read our NTP Authentication Explained article for more information.

1. In your time server's web interface, navigate to the NTP Keys page, located under the NTP Tab.

2. Click Generate Keys to generate a subset of random keys and click Update.

3. Navigate to the NTP Customisation page, located under NTP. Define the following parameters:

  • trustedkey - defines which key IDs to trust
  • requestkey - defines which key IDs can be used to query server variables
  • controlkey - defines which key IDs can be used to set server variables

For example:
trustedkey 1 2 5 7 12
requestkey 12
controlkey 12

Type the following in the NTP Customisation page: server <IP> key <key ID>

In the above server statement, specify the IP of the client that you wish to set up authentication with and the ID of the key you wish to use with the client. You will need to add multiple lines for each client you wish to set up NTP Authentication with.

Note: Ensure the key ID you specified is a trusted key.

Your NTP Customisation page should look similar to this:

Click Update to save the changes.

4. You now need to configure NTP Authentication on your client. We recommend referring to your client's documentation for this as the process of setting up NTP Authentication varies depending on the client. Note: ensure the keys on both the server and client match and are defined as trusted.

5. After you have configured NTP Authentication on the client, restart the NTP service on your client to apply any configured settings. You can use ntpq -p to monitor the progress of synchronisation. Note that synchronisation does not occur instantly, it does take some time. In my case, my Ubuntu virtual machine took around ten minutes to synchronise.

Once you have configured NTP Authentication on your clients, you can configure the server and client to ignore all NTP packets that are not cryptographically authenticated. Do this by adding the following lines to the NTP Customisation page in your time server's web interface and the ntp.conf file on your client:
restrict default notrust
restrict -6 default notrust

Note: if you are using 'notrust', it is possible to exclude certain devices from NTP Authentication. Type the following in the NTP Customisation page:
restrict <IP> notrap nomodify nopeer noquery

Add the IP of your client in the above statement. This will override the behaviour of the 'notrust' statement and should allow the clients you specified to synchronise to the NTP server without NTP Authentication.

If NTP Authentication is working, you should see output like this on the client:

Firmware 11#10

Release Date: 14/12/2016 

  • Fixed a potential issue when calculating delay with radio clocks (MSF, DCF, WWVB)
  • Updated the leap-seconds.list to account for the upcoming leap second
  • Updated Nginx to 1.10.2
  • Updated PHP to 7.0.14
  • Updated OpenSSH to 7.3p1
  • Updated OpenSSL to 1.0.2j
  • Updated the Linux kernel

NTP has been updated to 4.2.8p9 which has the following fixes:


Firmware 11#9

Release Date: 14/06/2016 

  • Updated the SSL ciphers used by the web server to be more up-to-date
  • Fixed an issue with IPv6 connectivity to the web interface
  • Hostname added to eth0 + eth1 + bond
  • Fixed the Dashboard showing a network speed of -1 Mbps when an interface is not configured
  • Added verification of SSL certificate to ensure the certificate is valid for the server
  • Updated NTP to 4.2.8p
  • Updated nginx to 1.10.1
  • Updated PHP to 7.0.7
  • Updated OpenSSL to 1.0.2h
  • Updated the Linux kernel

Firmware 11#8

Release Date: 20/04/2016  

  • Fixed a security issue where the ping and traceroute fields could execute code on the server
  • Fixed a rare issue where some users were not able to login to SSH
  • Updated PHP to 5.6.20
  • Updated OpenSSL to 1.0.2g
  • Updated OpenSSH to 7.2p2

Firmware 11#7

Release Date: 10/02/2016  

  • OpenSSL has been updated to 1.0.2f
  • An issue was found in DCF and WWVB where, in some rare cases, the unit would not synchronise.

NTP has been updated to 4.2.8p6 which has the following fixes:

Additionally, mitigations are published for the following two issues:


Firmware 11#6

Release Date: 18/01/2016

  • Fixed a bug where users were not able to set the gateway for the second network card if both were in use.
  • Fixed a bug where users were not able to use the backslash (\) character in NTP keys.
  • Fixed an issue where the display could stop displaying messages.
  • Fixed a rare issue where the web interface would show ‘Unsynchronised’ when it actually was synchronised.
  • Fixed an issue with Radio-Only (MSF, DCF, WWVB), units falling out of sync and not resynchronising.
  • Under Software Versions, the full firmware version is displayed.
  • Updated OpenSSH to 7.1p2
  • Updated OpenSSL to 1.0.2e
  • Updated PHP to 5.6.16

Updated NTP to 4.2.8p5 which has the following fixes:

NTF's NTP Project has been notified of the following 1 medium-severity vulnerability that is fixed in ntp-4.2.8p5, released on Thursday, 7 January 2016:

  • NtpBug2956: Small-step/Big-step CVE-2015-5300
  • Bug #2829 Clean up pipe_fds in ntpd.c
  • Bug #2887 Stratum -1 config results as showing value 99.
  • Bug #2944 Errno is not preserved properly in ntpdate after sendto call.
  • Bug #2952 Peer associations were broken by the fix for NtpBug2901 CVE-2015-7704
  • Bug #2954 Version 4.2.8p4 crashes on startup on some OSes.
  • Bug #2957 'Unsigned int' vs 'size_t' format clash.
  • Bug #2958 NTPQ: fatal error messages need a final newline.
  • Bug #2965 Local clock didn't work since 4.2.8p4.
  • Bug #2967 'Ntpdate' command suffers an assertion failure
  • Bug #2969 Seg fault from ntpq/mrulist when looking at server with lots of clients.
  • Bug #2971 NTPQ bails on ^C: select fails: Interrupted system call
  • Bug #2962 truncation of size_t/ptrdiff_t on 64bit targets.

First, you need to connect up a monitor and keyboard to the unit. With these connected you should see the same display on the monitor as on the LCD display.

Next press "Alt + F2"

The Default username is "root" and the Default password is "galleon"

When you are logged in you will see a menu with several options. Press the number '3' followed by enter to select the 'Reset web password' option.
You will be asked to confirm your selection by typing Y or N followed by enter.

Upon confirming your action you will be reminded of the default username and password and any logged in sessions to the web interface will be logged out.