SRX Services Gateway
Reply
Trusted Contributor
bwoodberg
Posts: 24
Registered: ‎11-16-2010
0

The Importance of NTP for IPSec VPN's on the HE SRX

Question:  Why is time so important for the High End SRX when it comes to IPSec VPN's?

 

Answer:  Time synchronization is always a great practice to employ for computer networks in general, but it has a particular importance when it comes to the high end SRX (e.g. SRX 1400, 3x00, 5x00) due to the distributed data plane.  If you are only setting your time manually, then the clocks throughout the system will not be synchronized, and due to drift will create some odd behavoirs, primarily when checking command output, and even potentially having VPN's flapping unnecessarily due to SA expiration.

 

Solution:  You should always set the SRX to use an NTP server.  If you have one in your organization that may be preferable, but there are plenty of them available publically.

 

E.g the following command sets up time resolution for NTP on JUNOS devices: "set system ntp server <NTP Server Hostname or IP Address>"


Juniper Employee
Juniper Employee
mxk
Posts: 13
Registered: ‎02-06-2008
0

Re: The Importance of NTP for IPSec VPN's on the HE SRX

Good message! If I may add to it, I suggest using pool.ntp.org as a clock source. 


--mxk
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.