SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Does SRX stop providing NTP to clients without valid sync to server?

    Posted 12-11-2024 13:52

    Does the Juniper SRX still provide time to NTP clients when it has lost synchronization with its own NTP server?  Or does the SRX simply stop sending NTP to clients all-together?

    I believe it simply stops when it has lost its own NTP server, but I would like confirmation.  If you can provide a Juniper knowledge article with this information in it, I would be thankful.  I have been unable to find one as of yet.



    ------------------------------
    JAMES LAMBERT
    ------------------------------


  • 2.  RE: Does SRX stop providing NTP to clients without valid sync to server?

    Posted 12-12-2024 03:04

    I don't have a KB for it but I once tried to get a totally isolated network to sync time internally. The Juniper EX4200 switches couldn't be persuaded to act as NTP servers unless they has a server to sync to but I had a number of Adva FSP3000R7 chassis that could. By setting them to stratum 5 or something, I could use them as masters and the EX switches could sync.

    A standard NTP server that doesn't get time from another source will set its stratum to level 16, the lowest. No NTP server should use the time from a stratum 16 server so this makes the switch unusable as a time source, even if they can talk. In Linux etc., you can set a "fudge" parameter to spoof a stratum of your choice:

    server  127.127.1.0     # local clock
    fudge   127.127.1.0 stratum 10

    Just to test if this would work in a modern EX, I took an EX4100-24MP and edited the raw config file:

    start shell user root

    vi /var/etc/ntp.conf (to edit the file, put in the two lines shown below)

    ps ax | grep ntp

    There will be one line with "/usr/sbin/xntpd" in it (and another perhaps with tcp.sntpd but ignore that).

    22926  -  S       0:05.12 /usr/sbin/xntpd -j -N -g (ntpd)

    You need the process number (22926 in my case). Use kill -1 to restart the process (-1 means restart, not actually kill it)

    kill -1 22926

    root@EX4100-24MP-01:RE:0% cat /var/etc/ntp.conf
    server  127.127.1.0     # local clock
    fudge   127.127.1.0 stratum 10

    In an neighbouring system , I see this:

    fredrik@EX4100-12P-01> show ntp associations
         remote               refid           auth  st  t  when  poll reach  delay     offset   jitter
    ===================================================================================================
    *my.ntp.server     14.158.104.39        -   2  u    60    64   37   14.640    -0.089    0.401
     10.16.2.20             LOCAL(0)             -  11  u     -    64    3    6.747    +0.069    3.429

    This means that this system can read time from the -24MP I just restarted the service on. I set that stratum to 10 and the other switch therefore sees it as stratum 11, just as it should.

    So you could edit the file yourself to get the functionality you want. Even a new commit didn't overwrite the file for me when I did an unrelated change (a random interface description). Making changes to the NTP config itself would likely overwrite your edit of course.

    I don't see a way to set a "fudge"/local clock in the config. I'll ask my Juniper SEs about this and perhaps it will get into the Junos feature set one day!




  • 3.  RE: Does SRX stop providing NTP to clients without valid sync to server?

    Posted 12-14-2024 04:28

    Hello James,

    Despites the fact that fb35523 is pointing some interesting information, let me try to answer directly to your question.

    As I tested in my lab , an old SRX110 in version 12.1 stop beeing synchronised after about one hour if I kill it's own NTP server.

    After that it will "say" to it's own ntp client that he is a non trustable source of time.

    So normaly clients (EX) will still get an answer to their request but they will see that this source is not synchronised anymore so they will then turn into un unsynchronised state.



    ------------------------------
    ALAIN BRIANT
    ------------------------------