You Are Here:
You are here: APPENDIX > TimeKeeper: Additional Information > Failover


Failover refers to the concept of TimeKeeper automatically switching to a lower-priority time source if a higher-priority time source becomes unavailable e.g., in the case of GPS if reception quality fluctuates.

TimeKeeper utilizes timing sources in the order defined. This means, VelaSync's system clock will be driven to match Source (0) (or the lowest numbered source) as long as that Source is delivering timing data. Should Source (0) stop to provide data, TimeKeeper will fail over to Source (1), (2), and so on.

In the event of a source failure, TimeKeeper will start using Source (1), and it will continue to use Source (1) until either it fails, or Source (0) begins responding again.

If Source (0) returns, TimeKeeper will begin tracking it again. All of this occurs regardless of what protocol or type of Source is in use.

TimeKeeper can also actively compare each time source, and proactively reject bad sources using the Sourcecheck feature. For details on enabling and using Sourcecheck, please see below.

Note that before failing over to a lower-grade timing source, the VelaSync internal oscillator will be used for a period of time (the default is 2 hours) to provide the timing signal and the 1PPS signal. This is referred to as Holdover.

Failover Without Sourcecheck

In its default configuration (i.e. Sourcecheck = DISABLED), TimeKeeper will allow for automatic failover from higher priority sources to lower priority sources, in the event that the higher priority sources stop providing time. This means that if you have configured Source (0) and Source (1), TimeKeeper will use Source (0) as long as it is providing time.

Even if Source (0) provides incorrect time e.g., due to faulty hardware, a spoofing attack, or a misconfiguration, TimeKeeper will continue to use it. When configured, alarms will be sent out because Source (1) will disagree with Source (0), but Source (0) will continue to be used.

Failover With Sourcecheck

Sourcecheck provides an additional failover model that includes checks on the validity of time and not just whether or not time is being provided. With Sourcecheck enabled, in addition to tracking sources based on the configured priority, TimeKeeper will actively compare each source against the others and proactively reject a source based on its behavior, even if it is continuing to provide data. Source (0) could be rejected for Source (1) if Source (0) disagrees with Sources (1), (2), and (3). This detects and avoids timing issues based on faulty hardware, false leap seconds, misconfigurations, spoof attacks, and so on.

To take advantage of Sourcecheck, you must have at least two time sources configured. Three or more time sources is preferred since more advanced checks can be performed. More sources is better than fewer. More accurate sources allow for more accurate checks and faster problem detection. For example, even multiple public NTP servers over the internet can be useful for cross-checking a good local GPS clock source.

TimeKeeper watches all of the sources for their trending behavior, and reports in the TimeKeeper log file if it detects that a source is out of agreement or behaving erratically. Should that be the case, then information about the behavior of the primary and the current source will provide information about why the clock is unacceptable.

Note that TimeKeeper distrusts all sources in this configuration — if the primary time source is moving in a different direction than the majority of the sources, TimeKeeper will reject the primary source and move to the next highest priority source that is in agreement with the majority and send alerts about the change. Alerts will be sent out based on the configuration, i.e. via SNMP, or syslog.

The Sourcecheck feature can be used to provide logging data for the behavior of available time sources on the network (including local devices). It can also act as an alarm to detect any freewheeling or compromised time servers. If VelaSync is used as a server, it can ensure that clients retain a good quality sync regardless of network issues or timing attacks. If a source goes away or acts erratically, TimeKeeper will decide what the next best source is and choose it, without interrupting service to any clients.

To enable Sourcecheck:

  • Navigate to Configuration > TimeKeeper configuration: Enable Sourcecheck.
  • Configuring Sourcecheck

For more information on Failover, see Configuring Timing Sources.

For more information on Holdover, see Holdover.