Time Synchronization options & troubleshooting on Ubuntu Server

Author: Vladimír Nepor
Published on

System services, log timestamps, and network operations rely on accurate and synchronized time. If the system clock drifts or is not synchronized correctly, you may experience connection errors, SSL certificate issues, or inconsistent timestamps in logs and applications.

Checking System Time Status

You can check your current time synchronization state using:

timedatectl status

A correctly synchronized system typically shows:

Local time: Thu 2025-10-09 11:38:42 CEST
Universal time: Thu 2025-10-09 09:38:42 UTC
RTC time: Thu 2025-10-09 09:38:42
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

✅ What to look for:

  • System clock synchronized: yes
  • NTP service: active

If these values show no or inactive, your system is not currently synchronized.

Default Time Synchronization (systemd-timesyncd)

By default, most Linux distributions use systemd-timesyncd, a simple NTP client that synchronizes the system clock using UDP port 123.

You can check its status:

systemctl status systemd-timesyncd

If it’s inactive, enable it with:

sudo timedatectl set-ntp on

However, this service may stop working in some network configurations — particularly when:

  • You’re using a VPN that blocks UDP/123
  • Your router or firewall drops NTP packets
  • Your ISP filters or blocks NTP traffic

For that reason, I recommend to check the timedatectl status from time to time.

Troubleshooting Time Synchronization issues when using systemd-timesyncd

  • If synchronization works with disabled VPN client, exclude NTP traffic from the VPN tunnel.

    Fix: Set Split Tunnel for systemd-timesyncd

    Alternate fix: Switch to Chrony

  • If synchronization works on another network, such as a mobile hotspot, your primary network or ISP likely blocks UDP port 123.

    Fix: Switch to Chrony.

  • If synchronization starts working again after a router reboot and then stops after some time, your router may have stale or stuck NAT entries for NTP traffic (UDP port 123).

    Fix: Set up an automatic NAT cleanup script on the router to periodically remove old NTP connections. Look for a guide: MikroTik RouterOS – NTP Port Cleanup Scheduler.

    Alternate fix: Switch to Chrony

Alternative Time Synchronization with Chrony

If systemd-timesyncd fails due to network restrictions (e.g. blocked UDP 123), or if you simply prefer a modern and more reliable NTP/NTS client, you can switch to Chrony. Chrony supports both traditional NTP over UDP and encrypted time synchronization via TCP using the Network Time Security (NTS) protocol.

Switching from systemd-timesyncd to Chrony

  1. Stop, disable, and remove systemd-timesyncd

    sudo systemctl disable --now systemd-timesyncd
sudo apt remove -y systemd-timesyncd

  2. Install Chrony

    sudo apt update && sudo apt install -y chrony

  3. Adjust Chrony configuration

    Edit sudo nano /etc/chrony/chrony.conf and update the NTP pool servers to include reliable global sources. These servers are accessible in most environments, including behind NAT or ISP firewalls: 

    pool time.cloudflare.com iburst
pool time.google.com iburst
pool ntp.ubuntu.com iburst
pool pool.ntp.org iburst

    💡 Optional (advanced): If your network allows outbound TCP 4460 and you need authenticated, encrypted time, you can add NTS-capable servers: 

    # Enable only if TCP 4460 is reachable
server time.cloudflare.com iburst nts
server time.google.com iburst nts

    Chrony will prefer the most stable and reachable sources. If NTS servers are unreachable, it will continue using standard NTP (UDP 123) sources.

  4. Verify and fix chronyd binary capabilities

    By default, chronyd may lack the necessary privileges to adjust the system clock (CAP_SYS_TIME). Without this capability, it can communicate with NTP servers but will never actually synchronize the system time.

    Check the current capabilities: 

    sudo getcap /usr/sbin/chronyd

    The correct output should include: 

    /usr/sbin/chronyd = cap_sys_time,cap_net_bind_service+ep

    If the output is empty, add the required capabilities and restart the service: 

    sudo setcap cap_sys_time,cap_net_bind_service+ep /usr/sbin/chronyd

    💡 This step ensures that Chrony has permission to update the system clock. Without it, the synchronization status will remain Stratum 0 and Leap status: Not synchronised.

  5. Enable and start Chrony

    sudo systemctl enable --now chrony

    Once started, Chrony takes over system-wide time synchronization. The system clock and RTC will now stay continuously synchronized even if your network conditions change.

  6. Monitor synchronization status

    You can verify that Chrony is working and tracking remote servers correctly:

    chronyc tracking
    chronyc sources -v

    Example output: 

    Reference ID    : 55A3A8E3 (time.cloudflare.com)
Stratum         : 3
Ref time (UTC)  : Thu Oct 09 09:24:38 2025
System time     : 0.0005 seconds fast of NTP time
Last offset     : +0.0006 seconds
RMS offset      : 0.0003 seconds
Frequency       : 5.354 ppm slow
Leap status     : Normal

    You can also confirm that the system clock is synchronized:

    timedatectl status
    System clock synchronized: yes
NTP service: inactive (handled by chronyd)

Reverting back to systemd-timesyncd

If you ever wish to switch back to the default synchronization service:

sudo systemctl disable --now chrony
sudo apt remove -y chrony
sudo apt install -y systemd-timesyncd
sudo systemctl enable --now systemd-timesyncd