SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

NTP auth with SRX as server?

  • 1.  NTP auth with SRX as server?

    Posted 08-10-2021 09:14
    Trying to Harden the NTP. and I have the NTP keys setup but devices without keys can still pull NTP 

    for example a switch can still sync and shows stratum 3 

    if i try "set date ntp" that fails, but work if I add the key to the config. 

    show ntp status and show ntp associations both show a good connection ( I also see 2 way traffic) 

    any thoughts on this? 

    The juniper docs do not show how to apply this key to the SRX NTP server itself that I can see/find 


    SRX config 
    set system ntp boot-server 10.1.x.x
    set system ntp authentication-key 1 type sha256   <<< for new devices
    set system ntp authentication-key 1 value "XXXXXX"
    set system ntp authentication-key 2 type md5  <<< for older stuff 
    set system ntp authentication-key 2 value "XXXXXX"
    set system ntp server 10.1.x.x version 4  <<< internal GPS NTP server
    set system ntp server 162.159.200.123 version 4  << External NTP server 
    set system ntp trusted-key 1
    set system ntp trusted-key 2

    switch WITH KEY 
    set date ntp
    Aug 09 15:33:49
    9 Aug 15:33:50 ntpdate[65302]: step time server 10.200.x.x offset 0.000830 sec
    show ntp associations
    Aug 09 15:47:24
    remote refid st t when poll reach delay offset jitter
    ==============================================================================
    *10.200.x.x 10.1.x.x 2 - 22 64 377 27.191 0.786 1.247
    show ntp status
    Aug 09 15:47:13
    status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
    version="ntpd 4.2.0-a Thu Feb 13 14:20:29 UTC 2020 (1)",
    processor="arm", system="JUNOS12.3R12-S15", leap=00, stratum=3,
    precision=-17, rootdelay=28.412, rootdispersion=26.863, peer=45916,
    refid=10.200.x.x
    reftime=e4bc113e.5bc2a5b5 Mon, Aug 9 2021 15:40:30.358, poll=6,
    clock=e4bc12d2.02954c9c Mon, Aug 9 2021 15:47:14.010, state=4,
    offset=0.786, frequency=-28.732, jitter=0.943, stability=0.008
    show configuration system ntp | display set
    Aug 09 15:51:15
    set system ntp boot-server 10.200.x.x
    set system ntp authentication-key 2 type md5
    set system ntp authentication-key 2 value "XXXXXXXX"
    set system ntp server 10.200.x.x
    set system ntp trusted-key 2
    set system ntp source-address 10.8.x.x

    switch WITHOUT KEY
    set date ntp
    Aug 09 15:32:15

    Message from syslogd@SW_803_A at Aug 9 15:32:16 ...
    SW_803_A kernel: rtc8564je_rtc0: RTC ERROR(16): read failed for off:2(len:1)

    Message from syslogd@SW_803_A at Aug 9 15:32:16 ...
    SW_803_A kernel: rtc8564je_rtc0: SETTIME failed for seconds: error 16
    9 Aug 15:32:16 ntpdate[10243]: step time server 10.200.255.230 offset 0.001236 sec << worked? 
    show ntp associations
    Aug 09 15:32:27
    remote refid st t when poll reach delay offset jitter
    ===============================================================================
    *10.200.x.x 10.1.x.x 2 - 1 64 1 23.382 -1.518 1.882
    show ntp status
    Aug 09 15:32:33
    status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
    version="ntpd 4.2.0-a Wed Jun 24 22:59:07 2020 (1)", processor="arm",
    system="FreeBSDJNPR-11.0-20200601.4ea4791_buil", leap=00, stratum=3,
    precision=-19, rootdelay=24.602, rootdispersion=955.323, peer=38052,
    refid=10.200.x.x,
    reftime=e4bc0f58.19f8f2e3 Mon, Aug 9 2021 15:32:24.101, poll=4,
    clock=e4bc0f61.8322034e Mon, Aug 9 2021 15:32:33.512, state=2,
    offset=-1.518, frequency=-18.798, jitter=1.037, stability=0.005

    show configuration system ntp | display set
    Aug 09 15:50:39
    set system ntp boot-server 10.200.x.x
    set system ntp server 10.200.x.x
    set system ntp source-address 10.8.x.x

    do I need to add the SRX as a server and apply the keys to it? but then it try to get NTP from itself correct?