123/UDP you shall not pass
 IT_Will_be_Fun                
                
                     Newbie ✭
IT_Will_be_Fun                
                
                     Newbie ✭                
            NSA2650 super basic config - 4 interfaces each running a diff subnet, a couple of sub interfaces for VLAN'ing out the guest WiFi traffic, nothing fancy. It will not pass 123/UDP. I have a few dozen machines trying to get some time updates. Yes, the default rule outbound allowing anything is enabled. There is no specific rule to block UDP or port 123. Funny thing? I got a few dozen VoIP phones on here and they're passing 5060/UDP SIP, all working no problem - just can't update their time, otherwise they work fine. Here's a snippet from the capture.
Absolutely nothing on the LAN can use NTP outbound. Any ideas?
Category: High End Firewalls
0      
             
             
            
Comments
@IT_Will_be_Fun did you checked the Value section of the packet monitor details? Was it dropped because of an Access Rule or something else?
--Michael@BWC
So, each and every drop, (even those non-voip phone devices) have the exact same reason, totally blank. However in the packet detail header I found this...
"Drop Code: 580(Packet dropped - failed SIP pre-processing)" So here's the AHA! Moment...
With SIP Transformations enabled on the address group I created called VOIP, I couldnt understand how non VoIP addresses were attempting SIP transformations, as indicated in the error above. So I looked in the VOIP address group I had made and sure enough, for some reason NTP was included in that group. I assume I accidentally added it while creating the group.
After removing NTP from my VOIP group.....voila! NTP is working now.
Thanks for the response Michael@BWC . I was beating my face on the keyboard for awhile.
@IT_Will_be_Fun great that you figured that out, the devil is always in the details. Happy NTPing :)
--Michael@BWC