Checking System Time Status
You can check your current time synchronization state using:
timedatectl status
A correctly synchronized system typically shows:
Local time: Thu 2025-10-09 11:38:42 CEST
Universal time: Thu 2025-10-09 09:38:42 UTC
RTC time: Thu 2025-10-09 09:38:42
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
✅ What to look for:
- System clock synchronized: yes
- NTP service: active
If these values show no or inactive, your system is not currently synchronized.
Default Time Synchronization (systemd-timesyncd)
By default, most Linux distributions use systemd-timesyncd, a simple NTP client that synchronizes the system clock using UDP port 123.
You can check its status:
systemctl status systemd-timesyncd
If it’s inactive, enable it with:
sudo timedatectl set-ntp on
However, this service may stop working in some network configurations — particularly when:
- You’re using a VPN that blocks UDP/123
- Your router or firewall drops NTP packets
- Your ISP filters or blocks NTP traffic
For that reason, I recommend to check the timedatectl status from time to time.
Troubleshooting Time Synchronization issues when using systemd-timesyncd
-
If synchronization works with disabled VPN client, exclude NTP traffic from the VPN tunnel.
Fix: Set Split Tunnel for
systemd-timesyncdAlternate fix: Switch to Chrony
-
If synchronization works on another network, such as a mobile hotspot, your primary network or ISP likely blocks UDP port 123.
Fix: Switch to
Chrony. -
If synchronization starts working again after a router reboot and then stops after some time, your router may have stale or stuck NAT entries for NTP traffic (UDP port 123).
Fix: Set up an automatic NAT cleanup script on the router to periodically remove old NTP connections. Look for a guide: MikroTik RouterOS – NTP Port Cleanup Scheduler.
Alternate fix: Switch to Chrony
Alternative Time Synchronization with Chrony
If systemd-timesyncd fails due to network restrictions (e.g. blocked UDP 123), or if you simply prefer a modern and more reliable NTP/NTS client, you can switch to Chrony. Chrony supports both traditional NTP over UDP and encrypted time synchronization via TCP using the Network Time Security (NTS) protocol.
Switching from systemd-timesyncd to Chrony
-
Stop, disable, and remove
systemd-timesyncdsudo systemctl disable --now systemd-timesyncd sudo apt remove -y systemd-timesyncd -
Install
Chronysudo apt update && sudo apt install -y chrony -
Adjust Chrony configuration
Edit
sudo nano /etc/chrony/chrony.confand update the NTP pool servers to include reliable global sources. These servers are accessible in most environments, including behind NAT or ISP firewalls:pool time.cloudflare.com iburst pool time.google.com iburst pool ntp.ubuntu.com iburst pool pool.ntp.org iburst💡 Optional (advanced): If your network allows outbound TCP 4460 and you need authenticated, encrypted time, you can add NTS-capable servers:
# Enable only if TCP 4460 is reachable server time.cloudflare.com iburst nts server time.google.com iburst ntsChrony will prefer the most stable and reachable sources. If NTS servers are unreachable, it will continue using standard NTP (UDP 123) sources.
-
Verify and fix
chronydbinary capabilitiesBy default,
chronydmay lack the necessary privileges to adjust the system clock (CAP_SYS_TIME). Without this capability, it can communicate with NTP servers but will never actually synchronize the system time.Check the current capabilities:
sudo getcap /usr/sbin/chronydThe correct output should include:
/usr/sbin/chronyd = cap_sys_time,cap_net_bind_service+epIf the output is empty, add the required capabilities and restart the service:
sudo setcap cap_sys_time,cap_net_bind_service+ep /usr/sbin/chronyd💡 This step ensures that Chrony has permission to update the system clock. Without it, the synchronization status will remain
Stratum 0andLeap status: Not synchronised. -
Enable and start Chrony
sudo systemctl enable --now chronyOnce started, Chrony takes over system-wide time synchronization. The system clock and RTC will now stay continuously synchronized even if your network conditions change.
-
Monitor synchronization status
You can verify that Chrony is working and tracking remote servers correctly:
chronyc trackingchronyc sources -vExample output:
Reference ID : 55A3A8E3 (time.cloudflare.com) Stratum : 3 Ref time (UTC) : Thu Oct 09 09:24:38 2025 System time : 0.0005 seconds fast of NTP time Last offset : +0.0006 seconds RMS offset : 0.0003 seconds Frequency : 5.354 ppm slow Leap status : NormalYou can also confirm that the system clock is synchronized:
timedatectl statusSystem clock synchronized: yes NTP service: inactive (handled by chronyd)
Reverting back to systemd-timesyncd
If you ever wish to switch back to the default synchronization service:
sudo systemctl disable --now chrony
sudo apt remove -y chrony
sudo apt install -y systemd-timesyncd
sudo systemctl enable --now systemd-timesyncd