What does NTP stratum 16 mean?

Stratum 16 is the NTP sentinel value for 'unsynchronized' — the daemon has no valid reference clock. It is the state ntpd/chronyd reports before reaching a stable source, and the state they fall back to when all sources become unreachable or are rejected by the sanity checks.

Why does chrony show stratum 16 after boot?

Three possible causes, in order: (1) no source reachable yet — 'chronyc sources' shows all '?' or '~' lines, (2) offset exceeds the panic threshold (default 1000 s for ntpd, configurable 'maxdistance' in chrony), (3) all configured servers returned responses but the intersection algorithm found no majority agreement (selection failure). Run 'chronyc sources -v' and 'chronyc sourcestats' to isolate.

How do I force chrony out of stratum 16?

If a source IS reachable but the clock is too far off, run 'sudo chronyc makestep' to step the clock immediately. For ntpd, use 'ntpd -gq' to acquire time once at start-up even past the panic threshold. If no source is reachable, fix connectivity first (see our firewall guide) — no amount of makestep will help.

What is the panic threshold in NTP?

The panic threshold is the maximum clock offset NTP will accept before refusing to correct the clock. Default for ntpd: 1000 seconds; above this, ntpd exits with the 'panic sanity' message unless started with -g. For chrony, the related 'makestep' directive controls when chrony steps versus slews, and 'maxdistance' (default 3 s) bounds the acceptable root distance from a source.

Can a VM guest show stratum 16 because of the host?

Yes — Hyper-V, VMware and KVM all offer 'time sync with host' that competes with chronyd. Symptoms: offset jumps, then recovers, then jumps again; eventually chrony enters stratum 16 when its filter cannot stabilise. Disable guest/host time sync in the hypervisor settings (or the integration services), leaving chronyd as the sole time authority inside the VM.

Stratum 16 Troubleshooting | Fix NTP Unsynchronized State

1. What stratum 16 really means

In the NTP protocol, the stratum field is an 8-bit integer identifying the distance from the reference atomic clock. Values 1–15 are valid operating strata. Stratum 16 is a sentinel value meaning "unsynchronized" — the daemon has no trusted time source. It is both:

the initial state on daemon start-up, before any peer stabilises, and
the fallback state when all configured peers become unreachable or are rejected by the sanity checks.

The difference matters for diagnosis. Freshly-booted stratum 16 with a visible iburst countdown is normal. Stratum 16 after 30 minutes of uptime is a fault.

2. 3-step diagnostic on chrony and ntpd

Run these three commands in order. Each one points to the most likely next cause.

chrony

$ chronyc tracking          # overall sync status
$ chronyc sources -v        # per-source reachability and selection
$ chronyc sourcestats -v    # offset/jitter stability per source

ntpd / ntpsec

$ ntpq -p                   # per-source table
$ ntpq -c rv                # read variables: stratum, offset, jitter, dispersion
$ ntpq -c 'rv 0 stratum,offset,frequency,sys_jitter'

Read the output against the three common root causes below.

3. Cause #1 — no reachable source

Signature in chronyc sources: every source shows ? or ~ in the selection column, and reach is 0. Signature in ntpq -p: all peers show .INIT. as their refid.

Fix sequence:

# 1. Test UDP 123 reachability
$ nc -u -vz ntp.rdem-systems.com 123
# or, if nc is not UDP-capable
$ ntpdate -q ntp.rdem-systems.com

# 2. Check firewall state
$ sudo iptables -L -n | grep 123
$ sudo firewall-cmd --list-all | grep ntp
$ sudo ufw status | grep 123

# 3. If blocked, open it
$ sudo ufw allow 123/udp           # ufw
$ sudo firewall-cmd --add-service=ntp --permanent && sudo firewall-cmd --reload

Deep dive: the firewall guide covers iptables, firewalld, ufw and Windows Firewall.

4. Cause #2 — offset above the panic threshold

Signature: sources are reachable (reach > 0), but the daemon refuses to step the clock. Logs mention "panic sanity" (ntpd) or "clock jump too large" (chrony).

Default thresholds:

Daemon	Threshold	Directive
ntpd	1000 s	`tinker panic 0` (disable) or launch with `-g`
chrony	Configurable (no hard panic)	`makestep 1.0 3` in `chrony.conf`
w32time	Varies (MaxPosPhaseCorrection / MaxNegPhaseCorrection)	Registry under `HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config`

Fix — chrony

# One-shot step (manual)
$ sudo chronyc makestep

# Persist: allow step for first 3 clock updates if offset > 1s
# in /etc/chrony/chrony.conf
makestep 1.0 3

Fix — ntpd

# One-shot step at start-up (past panic threshold)
$ sudo systemctl stop ntp
$ sudo ntpd -gq               # query once with -g allowed
$ sudo systemctl start ntp

5. Cause #3 — all sources rejected by selection

Signature: sources are reachable, offsets are small, but the selection column shows x (false ticker) or - (outlyer) on every peer. The daemon has no majority to agree with, so it stays at stratum 16.

Usually means you have an even number of sources and they split 50/50, OR one source is wildly wrong and drags the median. Fixes:

Configure at least 4 sources. With 3, any one outlier creates deadlock; with 4 the intersection is robust.
Diversify upstream: do not use 4 servers from the same operator/ASN. See the NTP source comparison for good dual-operator options.
Identify the outlier with chronyc sourcestats -v — look for one source with offset > 3× the others — and treat it as a false ticker.

6. Windows w32tm equivalent

On Windows, stratum 16 manifests as the unsynchronized state of w32time or TimeState::StateNoSync.

:: Query status
> w32tm /query /status

:: Force resync from authoritative peer
> w32tm /resync /force

:: Reconfigure manual peer list
> w32tm /config /manualpeerlist:"ntp.rdem-systems.com time.cloudflare.com" /syncfromflags:manual /update
> net stop w32time && net start w32time
> w32tm /resync /force

If the resync fails, check Windows Firewall allows outbound UDP 123.

7. VM and hypervisor gotchas

Virtualisation adds a second time authority competing with NTP. Turn it OFF inside guests that run chronyd/ntpd:

Hyper-V: uncheck "Time synchronization" in the Integration Services of each VM; set the Hyper-V service startup to manual via PowerShell if you want to keep it for nested VMs only.
VMware: open-vm-tools installs vmtoolsd which can sync the guest to the host. Disable in /etc/open-vm-tools/tools.conf with time.synchronize.tools.startup = false and related flags.
KVM / libvirt: avoid <clock offset="host"> with periodic sync. Use <clock offset="utc"/> and let chronyd handle it.

After disabling host-guest sync, restart chronyd and wait 1–3 poll intervals (64–256 s default) for sync to lock.

Related diagnostic pages:

After the fix — related sites:

Measure jitter, offset, latency → ntp-tester.eu
Produce NIS 2 / ISO 27001 audit evidence → online-ntp-validator.com
Enterprise reference architecture → ntp.rdem-systems.com