CA API Gateway ntpstat ntpq fails with timeout

Document ID : KB000098937
Last Modified Date : 31/05/2018
Show Technical Document Details
Issue:
ntpstat and ntpq -p return timeout.
Even though the connection to NTP server has been verified to work.
Why is ntp only partially working?
Resolution:
Typically this occurs due to a missing firewall rule for UDP and lo (loopback interface). 
You can run the following command which looks for all NON-Comment rules assigned to the lo interface.

# more /etc/sysconfig/iptables | grep lo | grep "^[^#;]"
[0:0] -A INPUT -i lo -p tcp -m tcp -j ACCEPT
[0:0] -A INPUT -i lo -p udp -m udp -j ACCEPT                                   <---------- This rule needs to be present for ntpstat to work.
[0:0] -A INPUT ! -i lo -p tcp -m tcp --dport 7001 -j portdrop
[0:0] -A INPUT ! -i lo -p tcp -m tcp --dport 7100 -j portdrop
[0:0] -A badflags -m limit --limit 15/min -j LOG --log-prefix "Badflags:"

If the Noted rule is not present edit the iptables file, 
* Note: Its always a good idea and suggested before making any system changes to do a VM Snapshot. 
** Note: This should be done during a maintenance window on a prod or similar environment since it requires a gateway service restart. 

1) Make a backup copy of iptables before editing, and add rule.
# cp /etc/sysconfig/iptables /etc/sysconfig/iptablesbeforenewrule
# vi /etc/sysconfig/iptables
Add a rule for,
[0:0] -A INPUT -i lo -p udp -m udp -j ACCEPT

2) Run,
# service ssg stop

3) Run,
# service iptables restart

4) Run,
# service ssg start

*** Note: The gateway service must always be restarted after iptables has been restarted. Since the gateway dynamically adds its firewall rules for listen ports etc.. At ssg service startup. So you must always restart the gateway process when restarting iptables.
Additional Information:
This is valid on Redhat and all 8.x / 9.x versions of the CA API gateway.