SRX Services Gateway
SRX Services Gateway

The Importance of NTP for IPSec VPN's on the HE SRX

11.16.10   |  
‎11-16-2010 05:52 AM

Question:  Why is time so important for the High End SRX when it comes to IPSec VPN's?

 

Answer:  Time synchronization is always a great practice to employ for computer networks in general, but it has a particular importance when it comes to the high end SRX (e.g. SRX 1400, 3x00, 5x00) due to the distributed data plane.  If you are only setting your time manually, then the clocks throughout the system will not be synchronized, and due to drift will create some odd behavoirs, primarily when checking command output, and even potentially having VPN's flapping unnecessarily due to SA expiration.

 

Solution:  You should always set the SRX to use an NTP server.  If you have one in your organization that may be preferable, but there are plenty of them available publically.

 

E.g the following command sets up time resolution for NTP on JUNOS devices: "set system ntp server <NTP Server Hostname or IP Address>"


1 REPLY
Highlighted
SRX Services Gateway

Re: The Importance of NTP for IPSec VPN's on the HE SRX

11.16.10   |  
‎11-16-2010 10:33 AM

Good message! If I may add to it, I suggest using pool.ntp.org as a clock source. 


--mxk