Linux : NTP servers are rejected

FAQ: http://www.ntp.org/ntpfaq/NTP-s-algo.htm

# ntpq
> as
ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1   943  9614   yes   yes  none  sys.peer   reachable  1
  2   944  9014   yes   yes  none  reject   reachable  1


> rv 944
assID=944 status=9014 reach, conf, 1 event, event_reach,
srcadr=ntpserver_IP, srcport=123, dstadr=clientIP, dstport=123,
leap=00, stratum=1, precision=-20, rootdelay=0.000,
rootdispersion=0.320, refid=GPS, reach=377, unreach=0, hmode=3, pmode=4,
hpoll=6, ppoll=6, flash=400 peer_dist, keyid=0, ttl=0,
offset=-23289498.129, delay=18.167, dispersion=3.040, jitter=78437.126,
reftime=d9d20ed8.a799ceee Wed, Oct 21 2015 21:17:12.654,
org=d9d20edf.9060a3fb Wed, Oct 21 2015 21:17:19.563,
rec=d9d269f2.580148e4 Thu, Oct 22 2015 3:45:54.343,
xmt=d9d269f2.4ebe53b8 Thu, Oct 22 2015 3:45:54.307,
filtdelay= 36.14 18.17 36.36 31.15 36.72 40.30 18.80 18.83,
filtoffset= -233147 -232894 -232688 -232419 -232155 -231980 -231812 -231704,
filtdisp= 0.00 0.98 1.95 2.90 3.87 4.85 5.79 6.74

flash=400 means: peer distance exceeded
/*
 * Peer errors
 */
#define TEST10      0x0200  /* peer bad synch or stratum */
#define TEST11      0x0400  /* peer distance exceeded */
#define TEST12      0x0800  /* peer synchronization loop */
#define TEST13      0x1000  /* peer unreacable */


usually it means etwork blocking, firewall, proxy etc may cause this error

We can try this:
Adding the line
tos maxdist [NUM]
to the /etc/ntp.conf before any lines starting with 'restrict' or 'server'

Default value is 1.5
We can try higher number like 3

# /etc/init.d/ntpd stop
Shutting down ntpd: [ OK ]
 # ps -ef |grep ntp |grep -v grep
 # rm -rf /var/lib/ntp/drift

 # /usr/sbin/ntpdate -u 0.rhel.pool.ntp.org
22 Nov 17:49:01 ntpdate[26709]: adjust time server 212.26.18.41 offset -0.000689 sec

 # /usr/sbin/ntpdate -u 1.rhel.pool.ntp.org
22 Nov 17:49:09 ntpdate[26719]: adjust time server 212.26.18.41 offset 0.000809 sec

 # /usr/sbin/ntpdate -u 2.rhel.pool.ntp.org
22 Nov 17:49:17 ntpdate[26724]: adjust time server 212.26.18.43 offset -0.000317 sec

 # /etc/init.d/ntpd start
Starting ntpd: [ OK ]
 # ps -ef |grep ntp |grep -v grep
ntp 26797 1 0 17:50 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g

( wait for 10 - 15 min )

 # ntpstat
synchronised to NTP server (212.26.18.41) at stratum 2
time correct to within 968 ms
polling server every 64 s

 # ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*0.rhel.pool.ntp .GPS. 1 u 31 64 277 17.296 -6.289 18.942
+2.rhel.pool.ntp 69.25.96.12 2 u 35 64 377 17.985 -7.786 13.836

 # tail -f /var/log/messages

ntpd[8240]: synchronized to 212.26.18.41, stratum 2


Or we can restart this way

# service ntpd stop
# ps -ef |grep ntp |grep -v grep
# rm -rf /var/lib/ntp/drift
# ntpd -qg
# service ntpd start

about the option of -q and -g
       -q      Exit  the ntpd just after the first time the clock is set. This
               behavior mimics that of the ntpdate program,  which  is  to  be
               retired.  The  -g  and -x options can be used with this option.
               Note: The kernel time discipline is disabled with this  option.


       -g      Normally, ntpd exits with a message to the system  log  if  the
               offset exceeds the panic threshold, which is 1000 s by default.
               This option allows the time to be  set  to  any  value  without
               restriction; however, this can happen only once. If the thresh-
               old is exceeded after that, ntpd will exit with  a  message  to
               the  system  log.  This  option  can be used with the -q and -x
               options. See the tinker command for other options.

Make sure /etc/ntp/step-tickers is correctly populated

# nc -zvnu <IP Address of the NTP server> 123

# tcpdump -s0 port 123 -vvv -i <NIC>


Allow Only Specific Clients

To only allow machines on your own network to synchronize with your NTP server, add the following restrict line to your /etc/ntp.conf file:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap


# cat /etc/sysconfig/ntpd
# Drop root to id 'ntp:ntp' by default.
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid -I eth0"

# Set to 'yes' to sync hw clock after successful ntpdate
SYNC_HWCLOCK=no

# Additional options for ntpdate
NTPDATE_OPTIONS=""

https://docs.oracle.com/cd/E50245_01/E50251/html/vmadm-tshoot-vm-clock.html

Setting the Guest's Clock

PVM guests may perform their own system clock management, for example, using the NTPD (Network Time Protocol daemon), or the hypervisor may perform system clock management for all guests.
You can set paravirtualized guests to manage their own system clocks by setting the xen.independent_wallclock parameter to 1 in the /etc/sysctl.conf file. For example:

"xen.independent_wallclock = 1"

If you want to set the hypervisor to manage paravirtualized guest system clocks, set xen.independent_wallclock to 0. Any attempts to set or modify the time in a guest will fail.
You can temporarily override the setting in the /proc file. For example:

"echo 1 > /proc/sys/xen/independent_wallclock"

http://serverfault.com/questions/245401/xen-hvm-guest-has-severe-clock-drift
Add this line to the beginning of ntpd.conf:

tinker panic 0

To override the clock source configuration, you should add clocksource= to the kernel stanza. For example:

         kernel /vmlinuz-2.6.18-406.el5 ro root=/dev/vg0/rootvol elevator=deadline clocksource=acpi_pm
 

browsing the documentation file /usr/share/doc/kernel-doc-2.6.32/Documentation/kernel-parameters.txt

        clocksource=    [GENERIC_TIME] Override the default clocksource
                        Format:                         Override the default clocksource and use the clocksource
                        with the name specified.
                        Some clocksource names to choose from, depending on
                        the platform:
                        [all] jiffies (this is the base, fallback clocksource)
                        [ACPI] acpi_pm
                        [ARM] imx_timer1,OSTS,netx_timer,mpu_timer2,
                                pxa_timer,timer3,32k_counter,timer0_1
                        [AVR32] avr32
                        [X86-32] pit,hpet,tsc,vmi-timer;
                                scx200_hrt on Geode; cyclone on IBM x440
                        [MIPS] MIPS
                        [PARISC] cr16
                        [S390] tod
                        [SH] SuperH
                        [SPARC64] tick
                        [X86-64] hpet,tsc

        hpet=           [X86-32,HPET] option to control HPET usage
                        Format: { enable (default) | disable | force |
                                verbose }
                        disable: disable HPET and use PIT instead
                        force: allow force enabled of undocumented chips (ICH4,
                                VIA, nVidia)
                        verbose: show contents of HPET registers during setup

        notsc           [BUGS=X86-32] Disable Time Stamp Counter

An overview on hardware clock and system timer circuits:

When it comes to talk about a system's clock, the hardware sits at the very bottom. Every typical system has several devices, usually implemented by clock chips, that provide timing features and can serve as clocks. So, which hardware is available depends on the particular architecture. The clock circuits are used both to keep track of the current time of the day and to make precise time measurements. The timer circuits are programmed by the kernel, so they issue interrupts at a fixed, and predefined, frequency. For instance, IA-32 and AMD64 systems have at least one programmable interrupt timer (PIT) as a classical timer circuit, which is usually implemented by an 8254 CMOS chip. Let's briefly describe the clock and timer circuits that are usually found with any nearly modern system of those architectures:

Real Time Clock (RTC)

The RTC is independent of the system's CPU and any other chips. As it is energized by a small battery, it continues to tick even when the system is switched off. The RTC is capable of issuing interrupts at frequencies ranging between 2 Hz and 8,192 Hz. Linux uses the RTC only to derive the time and date at boot time.

Programmable Interrupt Timer (PIT)

The PIT is a time-measuring device that can be compared to the alarm clock of a microwave oven: it makes the user aware that the cooking time interval has elapsed. Instead of ringing a bell, the PIT issues a special interrupt called timer interrupt, which notifies the kernel that one more time interval has elapsed. As the time goes by, the PIT goes on issuing interrupts forever at some fixed (architecture-specific) frequency established by the kernel.

Time Stamp Counter (TSC)

All 80x86 microprocessors include a CLK input pin, which receives the clock signal of an external oscillator. Starting with the Pentium, 80x86 microprocessors sport a counter that is increased at each clock signal, and is accessible through the TSC register which can be read by means of the rdtsc assembly instruction. When using this register the kernel has to take into consideration the frequency of the clock signal: if, for instance, the clock ticks at 1 GHz, the TSC is increased once every nanosecond. Linux may take advantage of this register to get much more accurate time measurements.

CPU Local Timer

The Local APIC (Advanced Programmable Interrupt Controller) present in recent 80x86 microprocessors provide yet another time measuring device, and it is a device, similar to the PIT, which can issue one-shot or periodic interrupts. There are, however, a few differences:

• The APIC's timer counter is 32 bit long, while the PIT's timer counter is 16 bit long;
• The local APIC timer sends interrupts only to its processor, while the PIT raises a global interrupt, which may be handled by any CPU in the system;
• The APIC's timer is based on the bus clock signal, and it can be programmed in such way to decrease the timer counter every 1, 2, 4, 8, 16, 32, 64, or 128 bus clock signals. Conversely, the PIT, which makes use of its own clock signals, can be programmed in a more flexible way.

High Precision Event Timer (HPET)

The HPET is a timer chip that in some future time is expected to completely replace the PIT. It provides a number of hardware timers that can be exploited by the kernel. Basically the chip includes up to eight 32 bit or 64 bit independent counters. Each counter is driven by its own clock signal, whose frequency must be at least 10 MHz; therefore the counter is increased at least once in 100 nanoseconds. Any counter is associated with at most 32 timers, each of which composed by a comparator and a match register. The HPET registers allow the kernel to read and write the values of the counters and of the match registers, to program one-shot interrupts, and to enable or disable periodic interrupts on the timers that support them.

ACPI Power Management Timer (ACPI PMT)

The ACPI PMT is another clock device included in almost all ACPI-based motherboards. Its clock signal has a fixed frequency of roughly 3.58 MHz. The device is a simple counter increased at each clock tick. However the ACPI PMT is preferable to the TSC if the operating system or the BIOS may dynamically lower the CPU's frequency or voltage. When this happens, TSC's frequency changes causing time warps and others side-effects, while the frequency of ACPI PMT does not.