Knowledge Search


×
 

[SRX] NTP updates via routing instance

  [KB22499] Show KB Properties

  [KB22499] Hide KB Properties

Categories:
Knowledge Base ID: KB22499
Last Updated: 01 Sep 2016
Version: 6.0

Summary:
This article provides information about the limitation of NTP update when routing instances are involved and how to implement a workaround.

Symptoms:
When the SRX firewall is configured for NTP associations sourced from a custom routing-instance table, the NTP association will not be formed.

The example below is when the NTP association is stuck in INIT state.
root# run show ntp associations
remote refid st t when poll reach delay offset jitter
=======================================================
1.1.1.1 .INIT. 16 u - 64 0 0.000 0.000 4000.00

root# run show ntp status

status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Thu Feb 3 23:22:34 UTC 2011 (1)",
processor="i386", system="JUNOS11.2-20110203_jc_fv_may11.0", leap=11,
stratum=16, precision=-21, rootdelay=0.000, rootdispersion=0.150,
peer=0, refid=INIT,<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
reftime=00000000.00000000 Wed, Feb 6 2036 22:28:16.000, poll=4,
clock=d1072de5.a84192cb Wed, Feb 16 2011 21:17:25.657, state=1,
offset=0.000, frequency=-57.003, jitter=0.000, stability=0.000

Cause:
The NTP client (SRX) will always build the association from the default routing table (inet.0); instead of the custom routing-instance table.

Solution:
By default on an SRX, to perform NTP associations, you must use an IP address from the master instance to source the NTP packet.

If your master instance does not have any interface, then as a workaroun, you can create a loopback interface to source the packet.

[PC]-------------------------------[SRX]--------------------------------ISP
           192.168.15.0/24                            80.10.115.0/24

=======PC========
IP: 192.168.15.10
Subnet: 255.255.255.0
G/W: 192.168.15.1
=================

=======SRX=======
Master Instance (inet.0)
Interface: lo0.0 - 192.168.254.1/32
Route: Default next-table vr.inet.0
--------------------------------
Virtual Router Instance(vr.inet.0)
Interfaces:
fe-0/0/6.0 - trust - 192.168.15.1/24
fe-0/0/4.0 - untrust - 80.10.115.1/24
Route: Default - 80.10.115.254
==================

=======ISP========
ISP: 80.10.115.254
Subnet: 255.255.255.0
==================

Full Configuration:
set version 12.1X46-D52.1
set system host-name PODA-SRX5-210-1
set system time-zone Asia/Calcutta
set system root-authentication encrypted-password "$1$WZo1c/iN$kV/lsYlETEkWPPtZxiceJ."
set system name-server 4.2.2.2
set system syslog host 192.168.15.10 any any
set system ntp server 129.250.35.251
set system ntp source-address 80.10.115.1 routing-instance vr
set interfaces fe-0/0/4 unit 0 family inet address 80.10.115.1/24
set interfaces fe-0/0/6 unit 0 family inet address 192.168.15.1/24
set interfaces lo0 unit 0 family inet address 192.168.254.1/32
set routing-options static route 0.0.0.0/0 next-table vr.inet.0
set policy-options policy-statement Import-Lo0-Route term 1 from instance master
set policy-options policy-statement Import-Lo0-Route term 1 from protocol direct
set policy-options policy-statement Import-Lo0-Route term 1 then accept
set policy-options policy-statement Import-Lo0-Route term default then reject
set security policies from-zone trust to-zone untrust policy Internet match source-address any
set security policies from-zone trust to-zone untrust policy Internet match destination-address any
set security policies from-zone trust to-zone untrust policy Internet match application any
set security nat source rule-set Host-Nat from zone junos-host
set security nat source rule-set Host-Nat to routing-instance vr
set security nat source rule-set Host-Nat rule NTP match destination-address 0.0.0.0/0
set security nat source rule-set Host-Nat rule NTP then source-nat interface
set security nat source rule-set Internet from zone trust
set security nat source rule-set Internet to zone untrust
set security nat source rule-set Internet rule All-Internet match destination-address 0.0.0.0/0
set security nat source rule-set Internet rule All-Internet then source-nat interface
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/4.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/6.0
set security zones security-zone mgmt interfaces lo0.0
set routing-instances vr instance-type virtual-router
set routing-instances vr interface fe-0/0/4.0
set routing-instances vr interface fe-0/0/6.0
set routing-instances vr routing-options static route 0.0.0.0/0 next-hop 80.10.115.254
set routing-instances vr routing-options instance-import Import-Lo0-Route



Break down of the configuration:

Configure the NTP:
set system ntp server 129.250.35.251
set system ntp source-address 80.10.115.1 routing-instance vr

Note: The source-address command is to use the IP address mentioned when sending syslog messages to a syslog server. It is NOT to source the NTP from the mentioned IP address.


Create a Loopback Interface:
set interfaces lo0 unit 0 family inet address 192.168.254.1/32

Add the loopback interface to a zone:
set security zones security-zone mgmt interfaces lo0.0

Add the route in master instance to use the vr.inet.0 table:
set routing-options static route 0.0.0.0/0 next-table vr.inet.0

To get the reply packets:
set security nat source rule-set Host-Nat from zone junos-host
set security nat source rule-set Host-Nat to routing-instance vr
set security nat source rule-set Host-Nat rule NTP match destination-address 0.0.0.0/0
set security nat source rule-set Host-Nat rule NTP then source-nat interface

Note: NAT the traffic, otherwise the traffic is sent using the loopback's private IP address.

Create a policy statement (or rib group) to import the loopback route in the virtual router:

set policy-options policy-statement Import-Lo0-Route term 1 from instance master
set policy-options policy-statement Import-Lo0-Route term 1 from protocol direct
set policy-options policy-statement Import-Lo0-Route term 1 then accept
set policy-options policy-statement Import-Lo0-Route term default then reject
set routing-instances vr routing-options instance-import Import-Lo0-Route

Note: This is to make SRX understand that the source is part of the device (master instance).


Outputs:
Routing Table:

[edit]
root@PODA-SRX5-210-1# run show route | no-more

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:01:17
to table vr.inet.0
192.168.254.1/32 *[Direct/0] 00:03:07
> via lo0.0

vr.inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:03:07
> to 80.10.115.254 via fe-0/0/4.0
80.10.115.0/24 *[Direct/0] 00:03:07
> via fe-0/0/4.0
80.10.115.1/32 *[Local/0] 00:03:07
Local via fe-0/0/4.0
192.168.15.0/24 *[Direct/0] 00:03:07
> via fe-0/0/6.0
192.168.15.1/32 *[Local/0] 00:03:07
Local via fe-0/0/6.0
192.168.254.1/32 *[Direct/0] 00:03:07
> via lo0.0

Flow Session:
Session ID: 746, Policy name: self-traffic-policy/1, Timeout: 38, Valid
In: 192.168.254.1/123 --> 129.250.35.251/123;udp, If: .local..0, Pkts: 1, Bytes: 76
Out: 129.250.35.251/123 --> 80.10.115.1/14003;udp, If: fe-0/0/4.0, Pkts: 1, Bytes: 76

NTP:
[edit]
root@PODA-SRX5-210-1# run show ntp status
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Wed May 25 07:21:26 UTC 2016 (1)",
processor="octeon", system="JUNOS12.1X46-D52.1", leap=00, stratum=3,
precision=-17, rootdelay=349.262, rootdispersion=96.457, peer=30364,
refid=129.250.35.251,
reftime=db658ec0.7d8912e3 Mon, Aug 22 2016 20:16:24.490, poll=10,
clock=db658fa4.123e17ce Mon, Aug 22 2016 20:20:12.071, state=4,
offset=-20.964, frequency=18.772, jitter=9.185, stability=1.313

[edit]
root@PODA-SRX5-210-1# run show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*y.ns.gin.ntt.ne 249.224.99.213 2 - 232 1024 377 91.816 -20.964 16.138

Purpose:
Configuration
Implementation

Related Links:

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.