SRX

Hi everybody,

Pease consider the following set up:

SRX ( NTP Client)--20.20.20.10--------200.20.20.200 -NTP SERVER 

1)Above SRX is configured with MD5 key for NTP to ensure  SRX will only synch time with authorised NTP server i.e NTP server has to prove to NTP Client ( SRX) that it is legitimate NTP server.

2) Cisco router is acting as NTP stratum one server above. 

SRX CONFIG:

SRX has synched its clock with NTP source ,  though NTP server is not configured with any autehentication key

NTP SERVER config:

NTP SERVER#show running-config | begin ntp
ntp master 1
###############

Capture taken on SRX shows SRX ( NTP Client) does send MD5 hash with key number 1:

SRX Version:

####################################################################

Question:

1) As we can see above SRX has synched time with NTP server( which does not have any NTP authentiction configured),  though SRX is confgured for NTP authenticaion. Is it a bug?

2) Even when NTP server is configured with mismatched MD5 key, SRX ( NTP client) is still able to synced time:

NTP SERVER (config)#ntp authentication-key 1 md5 KOO

Thanks and have a good weekend!!

Your configuration looks correct.

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/network-time-protocol-authentication-keys.html

So it seems likely it is a bug (Juniper calls these PR problem reports).  However, I don't see it listed in the public PR database for your version so you might need to raise an official support case to report it.

https://prsearch.juniper.net/InfoCenter/index?page=prsearch#qt=ntp&bv=12.1X47-D15&sid=srx&dt=0&mode=undefined&stype=affectingthis&start=0&srtBy=relevance

(login required to the search before the link will work)

I would start with upgrading to the JTAC recommend code.  If the keys are mismatched, you should not be able to sync time with the peer.

I would agree with this. upgrade to the latest recommended code and this should take care of the mismatch issue, then let's see.

Cheers,

Benjamin