SRX Services Gateway
Highlighted
SRX Services Gateway

Odd NTP issue

‎07-20-2016 12:02 PM

our NTP is accting funny, It seems i have to add the loopback to the NTP firewall..... i dont undestand why 

 

show configuration system ntp
inactive: server 10.1.1.110 version 4;
server 10.0.0.4 version 4;
source-address 10.8.252.63;

 

term NTP {
from {
source-address {
10.1.1.110/32;
10.0.0.4/32;
}
protocol udp;
port ntp;
}
then accept;

 

this is what i see 

 

Name of protocol: UDP, Packet Length: 40, Source address: 10.8.252.63:58568, Destination address: 10.8.252.63:123
Time of Log: 2016-07-20 13:41:19 CDT, Filter: management, Filter action: discard, Name of interface: local
Name of protocol: UDP, Packet Length: 40, Source address: 10.8.252.63:58568, Destination address: 10.8.252.63:123
Time of Log: 2016-07-20 13:41:11 CDT, Filter: management, Filter action: discard, Name of interface: local
Name of protocol: UDP, Packet Length: 40, Source address: 10.8.252.63:50138, Destination address: 10.8.252.63:123

 

show configuration interfaces lo0
hold-time up 0 down 2000;
unit 0 {
family inet {
no-redirects;
filter {
input management;
}
address 10.8.252.63/32;

 

why is this doing this, it does not seem right, on other routers we have we do not need to do this. the zones are not blocking i looked at our zone log. 

 

I tried rebooting the device already, running latest tac code 

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: Odd NTP issue

‎07-20-2016 09:03 PM
Hi Andrewmiller,

Can you please confirm if your NTP is working fine? Also do you see this error always or when you run ntp commands like “show ntp associations”?

When you run "show ntp associations" on cli in turn runs the ntpq utility. This utility gets the ntp peer association info by sending the udp packet to the xntpd server running on the same node on a loopback address.
In this case, since the loopback filter allows only 10.1.1.110 and 10.0.0.4 the above mentioned query is blocked and generates the messages you see.
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Odd NTP issue

‎07-21-2016 03:29 AM

Hi,

 

This KB would probably explain this behaviour:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11436&actp=search

 

While NTP association with the configured NTP server would be working, but query to the local system for ntp status would be reporting timeout.

 

Cheers,

Ashvin

Feedback