🟑 Medium   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: RHEL 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Time synchronization repeatedly fails, causing auth and scheduling instability.

Environment & Reproduction

Seen in hardened environments with restrictive outbound firewall policies.

chronyc sources -v
chronyc tracking
firewall-cmd --list-all

Root Cause Analysis

firewalld policies deny UDP/123 egress to approved NTP servers.

Quick Triage

Validate chronyd status and network policy quickly.

systemctl status chronyd
chronyc activity
journalctl -u chronyd -n 60

Step-by-Step Diagnosis

Check direct UDP reachability and zone/policy assignments.

firewall-cmd --get-active-zones
firewall-cmd --query-service=ntp
tcpdump -ni any udp port 123 -c 10
Illustrative mockup for rhel-10 β€” terminal_or_shell
chrony reachability and firewall diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Allow NTP service in the correct zone and reload firewall.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

firewall-cmd --zone=public --add-service=ntp --permanent
firewall-cmd --reload
systemctl restart chronyd
Illustrative mockup for rhel-10 β€” logs_or_journal
chronyd and firewall log correlation β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Permit only specific NTP endpoints using rich rules for tighter controls.

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 destination address=10.20.30.40 service name=ntp accept'
firewall-cmd --reload

Verification & Acceptance Criteria

chrony reaches sources and reports synchronized state.

chronyc sources -v
chronyc tracking
timedatectl status

Rollback Plan

Remove newly added firewall rule set if policy review rejects exposure.

firewall-cmd --zone=public --remove-service=ntp --permanent
firewall-cmd --reload

Prevention & Hardening

Maintain explicit allowlist for time infrastructure in firewall baselines.

firewall-cmd --permanent --list-all
chronyc sources

Associated with proxy-only egress models and DNS resolver failures.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL firewalld and chrony integration best practices.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.