SRX

Hi,

I have an SRX box, that is connected to a NTP server (which is synchronized to pool.ntp.org).

I want the SRX to server  time to other switches and firewalls, however it does not seem to work.

NTP Server (10.31.8.3) -> SRX (Server, 10.31.251.1) -> EX (Client, 10.31.251.2)

This is the SRX that I want to act as an NTP server for some clients:

root@CLY-S1-FWBCK-01> show configuration system ntp
boot-server 10.31.8.3;
server 10.31.8.3 prefer;
source-address 10.31.238.6;

{primary:node0}
root@CLY-S1-FWBCK-01> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.31.8.3 193.55.167.2 3 - 50 64 377 1.544 1.407 1.196

{primary:node0}
root@CLY-S1-FWBCK-01> show ntp status
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Thu Aug 22 06:38:40 UTC 2013 (1)",
processor="octeon", system="JUNOS11.4R9.4", leap=00, stratum=4,
precision=-17, rootdelay=11.106, rootdispersion=60.095, peer=49636,
refid=10.31.8.3,
reftime=d639e4b1.426630fb Fri, Nov 22 2013 15:12:01.259, poll=6,
clock=d639e527.10593258 Fri, Nov 22 2013 15:13:59.063, state=4,
offset=1.357, frequency=1.112, jitter=1.257, stability=0.007

So it seems alright to me, stratum 4 and synchronized to our NTP server 10.31.8.3.

However when I try to sync an EX switch to this SRX, it does not work:

{master:0}
root@CLY-S0-SWBCK-01> ping 10.31.251.1 rapid
PING 10.31.251.1 (10.31.251.1): 56 data bytes
!!!!!
--- 10.31.251.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.950/2.381/2.801/0.298 ms

{master:0}
root@CLY-S0-SWBCK-01> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
10.31.251.1 .INIT. 16 - - 1024 0 0.000 0.000 4000.00

{master:0}
root@CLY-S0-SWBCK-01> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Thu Jun 13 23:41:15 UTC 2013 (1)",
processor="arm", system="JUNOS12.3R3.4", leap=11, stratum=16,
precision=-17, rootdelay=0.000, rootdispersion=19.350, peer=0,
refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 7:28:16.000,
poll=4, clock=d639e65f.2c040566 Fri, Nov 22 2013 15:19:11.171, state=1,
offset=0.000, frequency=0.000, jitter=0.008, stability=0.000

Any idea of what might going on here? Any parameters I might have missed on the SRX?

Many thanks,

Thomas

Hello,

Do You have following defined under zone|interface?

set security zones security-zone BLAH host-inbound-traffic system-services ntp

 Thanks

Alex

Hi aarseniev,

thanks for your answer.

Yes I allowed ntp as inbound traffic on the zone of the interface the SRX is supposed to respond to the EX to.

Hello,

Please post the SRX config snippets of  "system ntp" stanza and security zone where NTP clients are located.

Remember that "host-inbound-traffic" under interface overrides "host-inbound-traffic" under zone.

Thanks

Alex

Hello,

here it is

{primary:node0}
root@SRX> show configuration system ntp
boot-server 10.31.8.3;
server 10.31.8.3 prefer;
source-address 10.31.238.6;

{primary:node0}
root@SRX> show configuration security zones security-zone Z-XXX
host-inbound-traffic {
system-services {
ping;
ssh;
ntp;
}
}
interfaces {
reth0.100;
}

Hello,

Thanks for posting the config.

These config bits look good to me, few further questions:

1/ is the NTP source IP 10.31.238.6 same as reth0.100 IP?

2/ is there any lo0.0 filter which blocks inbound NTP (UDP with src.port 123+dst.port 123)? This is how regular NTP works as opposed to "set date ntp" CLI command which uses UDP src.port 1024-65535+dst.port 123

3/ Is reth0.100 inside Virtual Router, by any chance?

Thanks
Alex

---

@aarseniev wrote:

1/ is the NTP source IP 10.31.238.6 same as reth0.100 IP?

2/ is there any lo0.0 filter which blocks inbound NTP (UDP with src.port 123+dst.port 123)?

3/ Is reth0.100 inside Virtual Router, by any chance?

Alex

---

 Hi Alex,

1/ No it is not.

Basically we have:

[NTP server, 10.31.8.3] <----> [SRX reth0.311 10.31.238.6 || reth0.100 10.31.251.1] <----> [EX3300 vlan.100 10.31.251.2]

2/ I don't think so. We don't have any firewall filter on this box.

3/ Nope, reth0.311 and reth0.100 are in the default routing instance (inet0 table).

---

@Kevin Dicks wrote:

Did you see if there was any useful info held within the messages log?

 

 

---

Here are the last logs on the SRX

{primary:node0}
root@SRX> show log messages | match ntp

Nov 22 15:06:41 SRX xntpd[16308]: kernel time sync enabled 2001
Nov 23 08:26:48 SRX xntpd[16308]: kernel time sync enabled 6001
Nov 23 08:43:53 SRX xntpd[16308]: kernel time sync enabled 2001
Nov 23 11:17:29 SRX xntpd[16308]: kernel time sync enabled 6001
Nov 23 11:34:32 SRX xntpd[16308]: kernel time sync enabled 2001
Nov 23 12:08:41 SRX xntpd[16308]: kernel time sync enabled 6001
Nov 23 12:25:47 SRX xntpd[16308]: kernel time sync enabled 2001

And on the EX side:

Nov 23 08:26:23 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 09:01:00 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 09:35:36 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 10:10:16 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 10:44:53 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 11:19:30 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 11:54:08 EX3300 xntpd[21800]: NTP Server Unreachable
Nov 23 12:28:43 EX3300 xntpd[21800]: NTP Server Unreachable

So, not really useful 🙂

---

@lyndidon wrote:

The switch is configured in symetric active mode. Set the switch to client mode and test it. Also, What kind of server is this server 10.31.8.3? I am almost sure that this server should be a Stratum 1 or at least server 10.31.8.3 should be synchronizing with a Stratum 1 server, even though there may not be any mention of it in the documents and Juniper says it does not have to be a Stratum 1. Maybe a Stratum 2 will work also. Then you have to make sure the SRX is synchronized with its peer server. You must peer with a real NTP server (Unix/Windows will do), otherwise the clients will not trust that server as an accurate time source.

 

---

The EX is not configured in symetric active mode, that's what I don't get.

Just a standard ntp client mode:

{master:0}
root@EX3300> show configuration system ntp
server 10.31.251.1;
source-address 10.31.251.2;

10.31.8.3 is a Red Hat Linux server synchronized to pool.ntp.org. It is considered a stratum 3 server as it is synchronized with a stratum 2 ntp server. And the SRX is a stratum 4 as it is connected to this server.

[admin@10.31.8.3 ~]$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
+5.39.75.216 145.238.203.14 2 u 103 1024 377 5.188 -1.176 0.170
-88.190.34.35 195.83.222.27 2 u 139 1024 377 48.717 22.605 0.597
*212.83.133.52 145.238.203.14 2 u 163 1024 377 1.856 -0.328 0.059
+193.55.167.2 192.93.2.20 2 u 356 1024 377 6.962 0.652 0.035
127.127.1.0 .LOCL. 10 l 5 64 377 0.000 0.000 0.000

Okay, so I added the address 10.31.238.6 (which is the address of reth0.311 of the SRX) as an NTP server on my EX switch, and it does work:

{master:0}[edit]
root@EX3300# run show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
10.31.251.1 .STEP. 16 - - 64 0 0.000 0.000 4000.00
*10.31.238.6 10.31.8.3 4 - 5 64 1 2.903 -0.077 0.340

Why wouldn't I be able to use SRX's reth0.100 address... I have a default policy of permit all at the moment, so it shouldn't matter.

Hello there,

---

@lto wrote:

 

Why wouldn't I be able to use SRX's reth0.100 address... I have a default policy of permit all at the moment, so it shouldn't matter.

---

If You explicitly specify SRX NTP source-address, then You cannot use different src addresses for SRX NTP client and SRX NTP server, but from Your configs it is clear to me that this is exactly what You were trying to do. I even asked You a question " is the NTP source IP 10.31.238.6 same as reth0.100 IP?" but it seems You figured this problem sooner.

HTH

Thanks
Alex

aarseniev wrote:

Hello there,

If You explicitly specify SRX NTP source-address, then You cannot use different src addresses for SRX NTP client and SRX NTP server

HTH

Thanks
Alex

---

Wow, I did not know that...

Anyway, thanks to you all. 🙂

Hello  lto,

Did you see if there was any useful info held within the messages log?

show log messages | match ntp

Just curious to see if the SRX logged any details, that may be helpful.

Also I think the 4000.00 value for jitter from the 'show ntp associations' command, is measured in milliseconds and isn't NTP considered out-of-sync above 120 milliseconds? I would need to verify this.

Thanks

reftime=d639e4b1.426630fb Fri, Nov 22 2013 15:12:01.259, poll=6,
clock=d639e527.10593258 Fri, Nov 22 2013 15:13:59.063, state=4,
offset=1.357, frequency=1.112, jitter=1.257, stability=0.007

So it seems alright to me, stratum 4 and synchronized to our NTP server 10.31.8.3.

However when I try to sync an EX switch to this SRX, it does not work:

{master:0}
root@CLY-S0-SWBCK-01> ping 10.31.251.1 rapid
PING 10.31.251.1 (10.31.251.1): 56 data bytes
!!!!!
--- 10.31.251.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.950/2.381/2.801/0.298 ms

{master:0}
root@CLY-S0-SWBCK-01> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
10.31.251.1 .INIT. 16 - - 1024 0 0.000 0.000 4000.00

{master:0}
root@CLY-S0-SWBCK-01> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Thu Jun 13 23:41:15 UTC 2013 (1)",
processor="arm", system="JUNOS12.3R3.4", leap=11, stratum=16,
precision=-17, rootdelay=0.000, rootdispersion=19.350, peer=0,
refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 7:28:16.000,
poll=4, clock=d639e65f.2c040566 Fri, Nov 22 2013 15:19:11.171, state=1

The switch is configured in symetric active mode. Set the switch to client mode and test it. Also, What kind of server is this server 10.31.8.3? I am almost sure that this server should be a Stratum 1 or at least server 10.31.8.3 should be synchronizing with a Stratum 1 server, even though there may not be any mention of it in the documents and Juniper says it does not have to be a Stratum 1. Maybe a Stratum 2 will work also. Then you have to make sure the SRX is synchronized with its peer server. You must peer with a real NTP server (Unix/Windows will do), otherwise the clients will not trust that server as an accurate time source.
One more thing, the SRX is not listed as a supported platform for clients. Several Juniper devices are listed but not the SRX.