SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



NTP auth with SRX as server?

  • 1.  NTP auth with SRX as server?

    Posted 08-10-2021 09:14
    Trying to Harden the NTP. and I have the NTP keys setup but devices without keys can still pull NTP 

    for example a switch can still sync and shows stratum 3 

    if i try "set date ntp" that fails, but work if I add the key to the config. 

    show ntp status and show ntp associations both show a good connection ( I also see 2 way traffic) 

    any thoughts on this? 

    The juniper docs do not show how to apply this key to the SRX NTP server itself that I can see/find 


    SRX config 
    set system ntp boot-server 10.1.x.x
    set system ntp authentication-key 1 type sha256   <<< for new devices
    set system ntp authentication-key 1 value "XXXXXX"
    set system ntp authentication-key 2 type md5  <<< for older stuff 
    set system ntp authentication-key 2 value "XXXXXX"
    set system ntp server 10.1.x.x version 4  <<< internal GPS NTP server
    set system ntp server 162.159.200.123 version 4  << External NTP server 
    set system ntp trusted-key 1
    set system ntp trusted-key 2

    switch WITH KEY 
    set date ntp
    Aug 09 15:33:49
    9 Aug 15:33:50 ntpdate[65302]: step time server 10.200.x.x offset 0.000830 sec
    show ntp associations
    Aug 09 15:47:24
    remote refid st t when poll reach delay offset jitter
    ==============================================================================
    *10.200.x.x 10.1.x.x 2 - 22 64 377 27.191 0.786 1.247
    show ntp status
    Aug 09 15:47:13
    status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
    version="ntpd 4.2.0-a Thu Feb 13 14:20:29 UTC 2020 (1)",
    processor="arm", system="JUNOS12.3R12-S15", leap=00, stratum=3,
    precision=-17, rootdelay=28.412, rootdispersion=26.863, peer=45916,
    refid=10.200.x.x
    reftime=e4bc113e.5bc2a5b5 Mon, Aug 9 2021 15:40:30.358, poll=6,
    clock=e4bc12d2.02954c9c Mon, Aug 9 2021 15:47:14.010, state=4,
    offset=0.786, frequency=-28.732, jitter=0.943, stability=0.008
    show configuration system ntp | display set
    Aug 09 15:51:15
    set system ntp boot-server 10.200.x.x
    set system ntp authentication-key 2 type md5
    set system ntp authentication-key 2 value "XXXXXXXX"
    set system ntp server 10.200.x.x
    set system ntp trusted-key 2
    set system ntp source-address 10.8.x.x

    switch WITHOUT KEY
    set date ntp
    Aug 09 15:32:15

    Message from syslogd@SW_803_A at Aug 9 15:32:16 ...
    SW_803_A kernel: rtc8564je_rtc0: RTC ERROR(16): read failed for off:2(len:1)

    Message from syslogd@SW_803_A at Aug 9 15:32:16 ...
    SW_803_A kernel: rtc8564je_rtc0: SETTIME failed for seconds: error 16
    9 Aug 15:32:16 ntpdate[10243]: step time server 10.200.255.230 offset 0.001236 sec << worked? 
    show ntp associations
    Aug 09 15:32:27
    remote refid st t when poll reach delay offset jitter
    ===============================================================================
    *10.200.x.x 10.1.x.x 2 - 1 64 1 23.382 -1.518 1.882
    show ntp status
    Aug 09 15:32:33
    status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
    version="ntpd 4.2.0-a Wed Jun 24 22:59:07 2020 (1)", processor="arm",
    system="FreeBSDJNPR-11.0-20200601.4ea4791_buil", leap=00, stratum=3,
    precision=-19, rootdelay=24.602, rootdispersion=955.323, peer=38052,
    refid=10.200.x.x,
    reftime=e4bc0f58.19f8f2e3 Mon, Aug 9 2021 15:32:24.101, poll=4,
    clock=e4bc0f61.8322034e Mon, Aug 9 2021 15:32:33.512, state=2,
    offset=-1.518, frequency=-18.798, jitter=1.037, stability=0.005

    show configuration system ntp | display set
    Aug 09 15:50:39
    set system ntp boot-server 10.200.x.x
    set system ntp server 10.200.x.x
    set system ntp source-address 10.8.x.x

    do I need to add the SRX as a server and apply the keys to it? but then it try to get NTP from itself correct?