SRX Services Gateway
Reply
Super Contributor
lto
Posts: 20
Registered: ‎03-26-2009
0
Accepted Solution

SRX as an NTP server

Hi,

I have an SRX box, that is connected to a NTP server (which is synchronized to pool.ntp.org).

I want the SRX to server  time to other switches and firewalls, however it does not seem to work.

 

NTP Server (10.31.8.3) -> SRX (Server, 10.31.251.1) -> EX (Client, 10.31.251.2)

 

This is the SRX that I want to act as an NTP server for some clients:

 

root@CLY-S1-FWBCK-01> show configuration system ntp
boot-server 10.31.8.3;
server 10.31.8.3 prefer;
source-address 10.31.238.6;

 

{primary:node0}
root@CLY-S1-FWBCK-01> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.31.8.3 193.55.167.2 3 - 50 64 377 1.544 1.407 1.196

 

{primary:node0}
root@CLY-S1-FWBCK-01> show ntp status
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Thu Aug 22 06:38:40 UTC 2013 (1)",
processor="octeon", system="JUNOS11.4R9.4", leap=00, stratum=4,
precision=-17, rootdelay=11.106, rootdispersion=60.095, peer=49636,
refid=10.31.8.3,
reftime=d639e4b1.426630fb Fri, Nov 22 2013 15:12:01.259, poll=6,
clock=d639e527.10593258 Fri, Nov 22 2013 15:13:59.063, state=4,
offset=1.357, frequency=1.112, jitter=1.257, stability=0.007

 

So it seems alright to me, stratum 4 and synchronized to our NTP server 10.31.8.3.

 

However when I try to sync an EX switch to this SRX, it does not work:

 

{master:0}
root@CLY-S0-SWBCK-01> ping 10.31.251.1 rapid
PING 10.31.251.1 (10.31.251.1): 56 data bytes
!!!!!
--- 10.31.251.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.950/2.381/2.801/0.298 ms

 

{master:0}
root@CLY-S0-SWBCK-01> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
10.31.251.1 .INIT. 16 - - 1024 0 0.000 0.000 4000.00

{master:0}
root@CLY-S0-SWBCK-01> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Thu Jun 13 23:41:15 UTC 2013 (1)",
processor="arm", system="JUNOS12.3R3.4", leap=11, stratum=16,
precision=-17, rootdelay=0.000, rootdispersion=19.350, peer=0,
refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 7:28:16.000,
poll=4, clock=d639e65f.2c040566 Fri, Nov 22 2013 15:19:11.171, state=1,
offset=0.000, frequency=0.000, jitter=0.008, stability=0.000

 

Any idea of what might going on here? Any parameters I might have missed on the SRX?

 

Many thanks,

Thomas

Distinguished Expert
aarseniev
Posts: 1,664
Registered: ‎08-21-2009
0

Re: SRX as an NTP server

Hello,

Do You have following defined under zone|interface?

 

set security zones security-zone BLAH host-inbound-traffic system-services ntp

 Thanks

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Super Contributor
lto
Posts: 20
Registered: ‎03-26-2009
0

Re: SRX as an NTP server

Hi aarseniev,

thanks for your answer.

Yes I allowed ntp as inbound traffic on the zone of the interface the SRX is supposed to respond to the EX to.

Distinguished Expert
aarseniev
Posts: 1,664
Registered: ‎08-21-2009
0

Re: SRX as an NTP server

Hello,

Please post the SRX config snippets of  "system ntp" stanza and security zone where NTP clients are located.

Remember that "host-inbound-traffic" under interface overrides "host-inbound-traffic" under zone.

Thanks

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Super Contributor
lto
Posts: 20
Registered: ‎03-26-2009
0

Re: SRX as an NTP server

Hello,

here it is

 

{primary:node0}
root@SRX> show configuration system ntp
boot-server 10.31.8.3;
server 10.31.8.3 prefer;
source-address 10.31.238.6;

 

{primary:node0}
root@SRX> show configuration security zones security-zone Z-XXX
host-inbound-traffic {
system-services {
ping;
ssh;
ntp;
}
}
interfaces {
reth0.100;
}

Distinguished Expert
aarseniev
Posts: 1,664
Registered: ‎08-21-2009
0

Re: SRX as an NTP server

Hello,

Thanks for posting the config.

These config bits look good to me, few further questions:

1/ is the NTP source IP 10.31.238.6 same as reth0.100 IP?

2/ is there any lo0.0 filter which blocks inbound NTP (UDP with src.port 123+dst.port 123)? This is how regular NTP works as opposed to "set date ntp" CLI command which uses UDP src.port 1024-65535+dst.port 123

3/ Is reth0.100 inside Virtual Router, by any chance?

Thanks
Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
Kevin Dicks
Posts: 25
Registered: ‎03-30-2013
0

Re: SRX as an NTP server

[ Edited ]

Hello  lto,

 

Did you see if there was any useful info held within the messages log?

 

show log messages | match ntp

Just curious to see if the SRX logged any details, that may be helpful.

 

Also I think the 4000.00 value for jitter from the 'show ntp associations' command, is measured in milliseconds and isn't NTP considered out-of-sync above 120 milliseconds? I would need to verify this.

 

Thanks

Distinguished Expert
lyndidon
Posts: 1,277
Registered: ‎06-06-2011
0

Re: SRX as an NTP server

reftime=d639e4b1.426630fb Fri, Nov 22 2013 15:12:01.259, poll=6,
clock=d639e527.10593258 Fri, Nov 22 2013 15:13:59.063, state=4,
offset=1.357, frequency=1.112, jitter=1.257, stability=0.007

 

So it seems alright to me, stratum 4 and synchronized to our NTP server 10.31.8.3.

 

However when I try to sync an EX switch to this SRX, it does not work:

 

{master:0}
root@CLY-S0-SWBCK-01> ping 10.31.251.1 rapid
PING 10.31.251.1 (10.31.251.1): 56 data bytes
!!!!!
--- 10.31.251.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.950/2.381/2.801/0.298 ms

 

{master:0}
root@CLY-S0-SWBCK-01> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
10.31.251.1 .INIT. 16 - - 1024 0 0.000 0.000 4000.00

{master:0}
root@CLY-S0-SWBCK-01> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Thu Jun 13 23:41:15 UTC 2013 (1)",
processor="arm", system="JUNOS12.3R3.4", leap=11, stratum=16,
precision=-17, rootdelay=0.000, rootdispersion=19.350, peer=0,
refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 7:28:16.000,
poll=4, clock=d639e65f.2c040566 Fri, Nov 22 2013 15:19:11.171, state=1

 

The switch is configured in symetric active mode. Set the switch to client mode and test it. Also, What kind of server is this server 10.31.8.3? I am almost sure that this server should be a Stratum 1 or at least server 10.31.8.3 should be synchronizing with a Stratum 1 server, even though there may not be any mention of it in the documents and Juniper says it does not have to be a Stratum 1. Maybe a Stratum 2 will work also. Then you have to make sure the SRX is synchronized with its peer server. You must peer with a real NTP server (Unix/Windows will do), otherwise the clients will not trust that server as an accurate time source.
One more thing, the SRX is not listed as a supported platform for clients. Several Juniper devices are listed but not the SRX.

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Super Contributor
lto
Posts: 20
Registered: ‎03-26-2009
0

Re: SRX as an NTP server

[ Edited ]

aarseniev wrote:

1/ is the NTP source IP 10.31.238.6 same as reth0.100 IP?

2/ is there any lo0.0 filter which blocks inbound NTP (UDP with src.port 123+dst.port 123)?

3/ Is reth0.100 inside Virtual Router, by any chance?

Alex


 Hi Alex,

1/ No it is not.

Basically we have:

[NTP server, 10.31.8.3] <----> [SRX reth0.311 10.31.238.6 || reth0.100 10.31.251.1] <----> [EX3300 vlan.100 10.31.251.2]

 

2/ I don't think so. We don't have any firewall filter on this box.

 

3/ Nope, reth0.311 and reth0.100 are in the default routing instance (inet0 table).

 


Kevin Dicks wrote:

Did you see if there was any useful info held within the messages log?

 

 


Here are the last logs on the SRX

{primary:node0}
root@SRX> show log messages | match ntp

Nov 22 15:06:41 SRX xntpd[16308]: kernel time sync enabled 2001
Nov 23 08:26:48 SRX xntpd[16308]: kernel time sync enabled 6001
Nov 23 08:43:53 SRX xntpd[16308]: kernel time sync enabled 2001
Nov 23 11:17:29 SRX xntpd[16308]: kernel time sync enabled 6001
Nov 23 11:34:32 SRX xntpd[16308]: kernel time sync enabled 2001
Nov 23 12:08:41 SRX xntpd[16308]: kernel time sync enabled 6001
Nov 23 12:25:47 SRX xntpd[16308]: kernel time sync enabled 2001

 

And on the EX side:

 

Nov 23 08:26:23 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 09:01:00 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 09:35:36 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 10:10:16 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 10:44:53 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 11:19:30 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 11:54:08 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 12:28:43 EX3300 xntpd[21800]: NTP Server Unreachable

 

So, not really useful :smileyhappy:

 


lyndidon wrote:

The switch is configured in symetric active mode. Set the switch to client mode and test it. Also, What kind of server is this server 10.31.8.3? I am almost sure that this server should be a Stratum 1 or at least server 10.31.8.3 should be synchronizing with a Stratum 1 server, even though there may not be any mention of it in the documents and Juniper says it does not have to be a Stratum 1. Maybe a Stratum 2 will work also. Then you have to make sure the SRX is synchronized with its peer server. You must peer with a real NTP server (Unix/Windows will do), otherwise the clients will not trust that server as an accurate time source.

 


The EX is not configured in symetric active mode, that's what I don't get.

Just a standard ntp client mode:

 

{master:0}
root@EX3300> show configuration system ntp
server 10.31.251.1;
source-address 10.31.251.2;

 

10.31.8.3 is a Red Hat Linux server synchronized to pool.ntp.org. It is considered a stratum 3 server as it is synchronized with a stratum 2 ntp server. And the SRX is a stratum 4 as it is connected to this server.

 

[admin@10.31.8.3 ~]$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
+5.39.75.216 145.238.203.14 2 u 103 1024 377 5.188 -1.176 0.170
-88.190.34.35 195.83.222.27 2 u 139 1024 377 48.717 22.605 0.597
*212.83.133.52 145.238.203.14 2 u 163 1024 377 1.856 -0.328 0.059
+193.55.167.2 192.93.2.20 2 u 356 1024 377 6.962 0.652 0.035
127.127.1.0 .LOCL. 10 l 5 64 377 0.000 0.000 0.000

 

Super Contributor
lto
Posts: 20
Registered: ‎03-26-2009
0

Re: SRX as an NTP server

[ Edited ]

Okay, so I added the address 10.31.238.6 (which is the address of reth0.311 of the SRX) as an NTP server on my EX switch, and it does work:

 

{master:0}[edit]
root@EX3300# run show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
10.31.251.1 .STEP. 16 - - 64 0 0.000 0.000 4000.00
*10.31.238.6 10.31.8.3 4 - 5 64 1 2.903 -0.077 0.340

 

Why wouldn't I be able to use SRX's reth0.100 address... I have a default policy of permit all at the moment, so it shouldn't matter.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.