SRX

Hello all. I'm trying to configure our SRX3600 cluster to sync with outside NTP servers but I'm not having any luck with this.

I have the following configured on the cluster.

ntp {
    boot-server 161.53.160.5;
    server 161.53.160.5 prefer;
    server 161.53.123.5;
    source-address 127.0.0.1;
}

lo0 {
    unit 0 {
        family inet {
            filter {
                input CONTROL_PLANE;
            }
            address 127.0.0.1/32;
        }
    }
}

NTP relevant part of the firewall filter

term 400_PERMIT_NTP {
    from {
        source-address {
            161.53.160.4/32;
            161.53.123.4/32;
            127.0.0.1/32;
        }
        protocol udp;
        port ntp;
    }
    then accept;
}
term 401_DENY_NTP_1 {
    from {
        protocol udp;
        port ntp;
    }
    then {
        discard;
    }
}

The routing for the cluster

routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.170.1;
            retain;
        }
        route 10.64.8.96/32 next-table internet.inet.0;
        route 10.64.8.202/32 next-table internet.inet.0;
        route 161.53.160.5/32 next-table internet.inet.0;
        route 161.53.123.5/32 next-table internet.inet.0;
        route 10.64.20.50/32 next-table internet.inet.0;
    }
}

routing-instances {
    internet {
        instance-type virtual-router;
        interface reth0.0;
        interface reth1.230;
        interface reth1.231;
        interface reth1.232;
        interface reth1.233;
        interface reth1.234;
        interface reth1.235;
        interface reth1.236;
        interface reth1.244;
        interface reth1.246;
        interface reth1.248;
        interface reth1.249;
        interface reth1.252;
        interface reth1.666;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 193.25.220.1;
                    retain;
                }
                route 10.0.0.0/8 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.254.0/24 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.0.0/16 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.234.0/24 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.90.0/23 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.55.0/24 {
                    next-hop 192.168.246.254;
                    retain;
                }
            }
        }
    }
}

With all of this configured I get the following results.

> show ntp associations
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 161.53.160.5    .INIT.          16 -    - 1024    0    0.000    0.000 4000.00
 161.53.123.5    .INIT.          16 -    - 1024    0    0.000    0.000 4000.00

> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Mon Sep  3 15:37:16 UTC 2018 (1)",
processor="powerpc", system="JUNOS12.3X48-D75.4", leap=11, stratum=16,
precision=-18, rootdelay=0.000, rootdispersion=309.015, peer=0,
refid=INIT, reftime=00000000.00000000  Thu, Feb  7 2036  7:28:16.000,
poll=4, clock=dfea239b.a2b2bea1  Wed, Jan 16 2019 22:41:47.635, state=1,
offset=0.000, frequency=0.778, jitter=0.004, stability=0.000

> set date ntp
node0:
--------------------------------------------------------------------------
16 Jan 22:42:22 ntpdate[68700]: no server suitable for synchronization found

node1:
--------------------------------------------------------------------------
16 Jan 22:42:22 ntpdate[70021]: no server suitable for synchronization found

> show log messages | match ntp

Jan 16 22:37:44  SRX xntpd[1381]: NTP Server Unreachable
Jan 16 22:40:56  SRX ntpq: attempt to configure invalid address 127.0.0.1
Jan 16 22:41:47  SRX ntpq: attempt to configure invalid address 127.0.0.1
Jan 16 22:42:22  SRX xntpd[1381]: ntpd 4.2.0-a Mon Sep  3 15:37:16 UTC 2018 (1)
Jan 16 22:42:22  SRX xntpd[1381]: mlockall(): Resource temporarily unavailable
Jan 16 22:42:22  SRX mgd[68688]: UI_CHILD_EXITED: Child exited: PID 68689, status 1, command '/usr/libexec/ui/ntp-date'
Jan 16 22:42:22  SRX xntpd[1381]: attempt to configure invalid address 127.0.0.1
Jan 16 22:42:37  SRX xntpd[1381]: ntpd 4.2.0-a Mon Sep  3 15:37:16 UTC 2018 (1)
Jan 16 22:42:37  SRX xntpd[1381]: mlockall(): Resource temporarily unavailable
Jan 16 22:42:37  SRX mgd[68705]: UI_CHILD_EXITED: Child exited: PID 68706, status 1, command '/usr/libexec/ui/ntp-date'
Jan 16 22:42:37  SRX xntpd[1381]: attempt to configure invalid address 127.0.0.1

I'm lost on what's going on here as I have a similar configuration on MX80 and EX4600 devices that work all right. The logs show a problem with the routing even when I have a route in the intet.0 pointing to the routing instance. Any help ewith this would be appreciated.

The source address needs to be a valid routable ip address configured on an interface that will egress the ntp request.

source-address 127.0.0.1

Hi, Igor

I can see that the SRX is configured to contact 161.53.160.5 and 161.53.123.5, however the filter on the loopback address permits the NTP updates from different addresses (161.53.160.4 and 161.53.123.4😞

lo0 {
    unit 0 {
        family inet {
            filter {
                input CONTROL_PLANE;
            }


term 400_PERMIT_NTP {
    from {
        source-address {
            161.53.160.4/32;
            161.53.123.4/32;
            127.0.0.1/32;
        }
        protocol udp;
        port ntp;
    }
    then accept;
}

Can you confirm this?

Hi. I have changed the source address for NTP to the IP address of the reth0.0 interface(my public facing interface)

ntp {
    boot-server 161.53.160.5;
    server 161.53.160.5 prefer;
    server 161.53.123.5;
    source-address x.x.x.9;
}

And I have changed the relevant part for the firewall filter which i mistyped to this

term 400_PERMIT_NTP {
    from {
        source-address {
            127.0.0.1/32;
            161.53.160.5/32;
            161.53.123.5/32;
            x.x.x.9/32;
        }
        protocol udp;
        port ntp;
    }
    then accept;
}

I still can't connect to NTP servers though. Here are some outputs:

# run show ntp associations
/usr/bin/ntpq: configured source-address in ntp.conf x.x.x.9 invalid. <-- still getting invalid address
Using one of the local addresses.
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 161.53.160.5    .INIT.          16 -    -  512    0    0.000    0.000 4000.00
 161.53.123.5    .INIT.          16 -    -  512    0    0.000    0.000 4000.00

# run set date ntp
node0:
--------------------------------------------------------------------------
17 Jan 09:04:37 ntpdate[70015]: no server suitable for synchronization found

node1:
--------------------------------------------------------------------------
17 Jan 09:04:37 ntpdate[71547]: no server suitable for synchronization found

Here is the configuration of the reth.0 interface

reth0 {
    description Outside;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            simple-filter {
                input protect-firewall;
            }
            address x.x.x.9/24;
        }
    }
}

simple-filter protect-firewall {
    term 0 {
        from {
            destination-address 192.168.0.0/16;
        }
        then discard;
    }
    term 1 {
        from {
            destination-address x.x.x.9/32;
        }
        then policer police-firewall-traffic;
    }
    term 2 {
        then accept;
    }
}

policer police-firewall-traffic {
    if-exceeding {
        bandwidth-limit 10m;
        burst-size-limit 1500;
    }
    then discard;
}

Please follow this KB article: https://kb.juniper.net/InfoCenter/index?page=content&id=KB22499&actp=METADATA

Hi Igor,

I assume that your public facing interface is under the internet virtual router. The ntp packets will be generated from the master routing-instance so you need to configure an IP address on your loopback interface (in the master routing-instance) and source the ntp messages from the IP address of the loopback interface.

Also make sure that you have the proper NAT configuration in place so that the NTP messages can reach the NTP servers on the Internet.

Igor,

Were you able to fix this issue?

Sorry for the late reply everyone but other work just took me over. Anyway I tried the solution in the tech article and it worked with some minor tweeks to the control plane filter.

Thank you everyone for the help.