Trying to Harden the NTP. and I have the NTP keys setup but devices without keys can still pull NTP
for example a switch can still sync and shows stratum 3
if i try "set date ntp" that fails, but work if I add the key to the config.
show ntp status and show ntp associations both show a good connection ( I also see 2 way traffic)
any thoughts on this?
The juniper docs do not show how to apply this key to the SRX NTP server itself that I can see/find
SRX config
set system ntp boot-server 10.1.x.x
set system ntp authentication-key 1 type sha256 <<< for new devices
set system ntp authentication-key 1 value "XXXXXX"
set system ntp authentication-key 2 type md5 <<< for older stuff
set system ntp authentication-key 2 value "XXXXXX"
set system ntp server 10.1.x.x version 4 <<< internal GPS NTP server
set system ntp server 162.159.200.123 version 4 << External NTP server
set system ntp trusted-key 1
set system ntp trusted-key 2
switch WITH KEY
set date ntp
Aug 09 15:33:49
9 Aug 15:33:50 ntpdate[65302]: step time server 10.200.x.x offset 0.000830 sec
show ntp associations
Aug 09 15:47:24
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.200.x.x 10.1.x.x 2 - 22 64 377 27.191 0.786 1.247
show ntp status
Aug 09 15:47:13
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Thu Feb 13 14:20:29 UTC 2020 (1)",
processor="arm", system="JUNOS12.3R12-S15", leap=00, stratum=3,
precision=-17, rootdelay=28.412, rootdispersion=26.863, peer=45916,
refid=10.200.x.x
reftime=e4bc113e.5bc2a5b5 Mon, Aug 9 2021 15:40:30.358, poll=6,
clock=e4bc12d2.02954c9c Mon, Aug 9 2021 15:47:14.010, state=4,
offset=0.786, frequency=-28.732, jitter=0.943, stability=0.008
show configuration system ntp | display set
Aug 09 15:51:15
set system ntp boot-server 10.200.x.x
set system ntp authentication-key 2 type md5
set system ntp authentication-key 2 value "XXXXXXXX"
set system ntp server 10.200.x.x
set system ntp trusted-key 2
set system ntp source-address 10.8.x.x
switch WITHOUT KEY
set date ntp
Aug 09 15:32:15
Message from syslogd@SW_803_A at Aug 9 15:32:16 ...
SW_803_A kernel: rtc8564je_rtc0: RTC ERROR(16): read failed for off:2(len:1)
Message from syslogd@SW_803_A at Aug 9 15:32:16 ...
SW_803_A kernel: rtc8564je_rtc0: SETTIME failed for seconds: error 16
9 Aug 15:32:16 ntpdate[10243]: step time server 10.200.255.230 offset 0.001236 sec << worked?
show ntp associations
Aug 09 15:32:27
remote refid st t when poll reach delay offset jitter
===============================================================================
*10.200.x.x 10.1.x.x 2 - 1 64 1 23.382 -1.518 1.882
show ntp status
Aug 09 15:32:33
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Wed Jun 24 22:59:07 2020 (1)", processor="arm",
system="FreeBSDJNPR-11.0-20200601.4ea4791_buil", leap=00, stratum=3,
precision=-19, rootdelay=24.602, rootdispersion=955.323, peer=38052,
refid=10.200.x.x,
reftime=e4bc0f58.19f8f2e3 Mon, Aug 9 2021 15:32:24.101, poll=4,
clock=e4bc0f61.8322034e Mon, Aug 9 2021 15:32:33.512, state=2,
offset=-1.518, frequency=-18.798, jitter=1.037, stability=0.005
show configuration system ntp | display set
Aug 09 15:50:39
set system ntp boot-server 10.200.x.x
set system ntp server 10.200.x.x
set system ntp source-address 10.8.x.x
do I need to add the SRX as a server and apply the keys to it? but then it try to get NTP from itself correct?