View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  NTP, SRX, and routing-instances

    Posted 01-11-2023 07:42
    To start with, this is all with 22.2R1.

    First up, prior to deploying routing-instances NTP was working fine on the SRX but for various reasons I'm extending routing instances on Juniper EX switches out to the SRX firewalls. All was going well until I got to NTP:

    Jan 11 22:52:58 srx xntpd: NTP Server is Unreachable
    Jan 11 22:52:58 srx xntpd: Sendpkt failed:Can't assign requested address

    At first I thought this was "add routing-instance to ntp statements" like this:
    set system ntp server routing-instance office
    set system ntp server routing-instance office
    set system ntp server routing-instance office
    set system ntp source-address routing-instance office

    but that made no difference.

    Then I read this: CEC Juniper Community

    That didn't solve the problem, although I didn't add in the policy statements to import the routing policy (a bit nervous doing that remotely.)

    Are the "routing-instance" parameters to "set system ntp" pointless, as in they have no effect?
    Is the same true for "routing-instance" for the ntp source?
    Do I have to do the full exercise (exporting & importing routes, vr.inet0)?

  • 2.  RE: NTP, SRX, and routing-instances
    Best Answer

    Posted 01-11-2023 10:24
    Interesting.  I just tried this in my lab.  I placed my only interface ge-0/0/0 in a VR and set NTP to use the VR.  I get nothing.  I then simply added a /32 loopback interface in inet.0, I did not configure it for a zone, simply gave lo0.0 an IP address.  NTP came up (and had to use VR as its only interface with a cable out of box).

    Try simply adding a /32 lo0.


    David Divins

  • 3.  RE: NTP, SRX, and routing-instances

    Posted 01-12-2023 04:29
    here I was following all of these complex instructions when the only thing I needed to do was configure lo0.0. argh. Hopefully the title of this thread will make it easier for others to find this.

    I should add that it goes without saying that the IP# put on lo0.0 should NOT be but something that the NTP servers you use can reply to and for those reply packets to end up back at the SRX (one way or another.)

    Just to be clear:
    - I'm not using "routing-instance" as part of the "set system ntp server" statement
    - As above, lo0.0 is not assigned to any security zone and nor is it assigned to any routing-instance.