Knowledge Search


×
 

[SRX] How to NTP sync to a SRX device via interface in custom routing instance

  [KB31654] Show Article Properties


Summary:

This article explains how to perform an NTP sync to a SRX device via the interface in a custom routing instance.

Symptoms:

Sometimes the SRX firewall is configured for NTP associations sourced from a custom routing-instance table. At the same time, the client devices behind SRX need to do an NTP sync to it via the SRX interface in a custom routing instance. When the NTP server address is set as the GW(SRX) IP address, the NTP sync can fail.

Example:

[SRX_NTP_C]-----------------------[SRX_NTP_S]-----------------------ISP
 192.168.1.0/24                                              80.10.115.0/24

     
=======PC========
IP: 192.168.1.1
Subnet: 255.255.255.0
G/W: 192.168.1.2
=================

=======SRX=======
Master Instance (inet.0)
Interface: lo0.0 - 172.16.1.1/32
Route: Default next-table vr.inet.0
--------------------------------
Virtual Router Instance(vr.inet.0)
Interfaces: 
ge-0/0/1.0 - trust - 192.168.1.2/24
fe-0/0/3.0 - untrust - 80.10.115.1/24
Route: Default - 80.10.115.254
==================

=======ISP========
ISP: 80.10.115.254
Subnet: 255.255.255.0
==================

SRX_NTP_C:

#set system ntp server 192.168.1.2
#commit

[edit]
root# run set date ntp    
21 Apr 02:25:53 ntpdate[6861]: no server suitable for synchronization found

[edit]
root# run show ntp associations 
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 192.168.1.2     .INIT.          16 -    -   64    0    0.000    0.000 4000.00
Solution:

Change the NTP source address to interface lo0 IP address as shown below:

Full configuration

set version 12.3X48-D45.6
set system host-name SRX-210-1
set system time-zone Asia/Hong_Kong
set system root-authentication encrypted-password "$1$h5tw2XUx$nVyVSOlquczhQXmtvE1cR0"
set system services ftp
set system services ssh
set system services telnet
set system services web-management http
set system services web-management https system-generated-certificate
set system ntp server 202.118.1.46
set system ntp source-address 172.16.1.1 <<<<lo0 IP address
set security nat source rule-set HOST-NAT from zone junos-host
set security nat source rule-set HOST-NAT to routing-instance vr
set security nat source rule-set HOST-NAT rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set HOST-NAT rule 1 then source-nat interface
set security policies default-policy permit-all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone mgmt interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone mgmt interfaces lo0.0 host-inbound-traffic protocols all
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.2/24
set interfaces fe-0/0/3 unit 0 family inet address 80.10.115.1/24
set interfaces lo0 unit 0 family inet address 172.16.1.1/32
set routing-options static route 0.0.0.0/0 next-table vr.inet.0
set policy-options policy-statement Import-Lo0-Route term 1 from instance master
set policy-options policy-statement Import-Lo0-Route term 1 from protocol direct
set policy-options policy-statement Import-Lo0-Route term 1 then accept
set policy-options policy-statement Import-Lo0-Route term default then reject
set routing-instances vr instance-type virtual-router
set routing-instances vr interface ge-0/0/1.0
set routing-instances vr interface fe-0/0/3.0
set routing-instances vr routing-options static route 0.0.0.0/0 next-hop 80.10.115.254
set routing-instances vr routing-options instance-import Import-Lo0-Route

Verification


SRX_NTP_C:

[edit]
root# run set date ntp             
21 Apr 02:28:58 ntpdate[6878]: step time server 192.168.1.2 offset 0.000959 sec

root# run show ntp associations 
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.1.2     202.118.1.46     2 -   55   64   37    4.418   -0.131   0.736
Related Links: