This article explains how to perform an NTP sync to a SRX device via the interface in a custom routing instance.
Sometimes the SRX firewall is configured for NTP associations sourced from a custom routing-instance table. At the same time, the client devices behind SRX need to do an NTP sync to it via the SRX interface in a custom routing instance. When the NTP server address is set as the GW(SRX) IP address, the NTP sync can fail.
Example:
[SRX_NTP_C]-----------------------[SRX_NTP_S]-----------------------ISP
192.168.1.0/24 80.10.115.0/24
=======PC========
IP: 192.168.1.1
Subnet: 255.255.255.0
G/W: 192.168.1.2
=================
=======SRX=======
Master Instance (inet.0)
Interface: lo0.0 - 172.16.1.1/32
Route: Default next-table vr.inet.0
--------------------------------
Virtual Router Instance(vr.inet.0)
Interfaces:
ge-0/0/1.0 - trust - 192.168.1.2/24
fe-0/0/3.0 - untrust - 80.10.115.1/24
Route: Default - 80.10.115.254
==================
=======ISP========
ISP: 80.10.115.254
Subnet: 255.255.255.0
==================
SRX_NTP_C:
#set system ntp server 192.168.1.2
#commit
[edit]
root# run set date ntp
21 Apr 02:25:53 ntpdate[6861]: no server suitable for synchronization found
[edit]
root# run show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
192.168.1.2 .INIT. 16 - - 64 0 0.000 0.000 4000.00
Change the NTP source address to interface lo0 IP address as shown below:
Full configuration
set version 12.3X48-D45.6
set system host-name SRX-210-1
set system time-zone Asia/Hong_Kong
set system root-authentication encrypted-password "$ABC123"
set system services ftp
set system services ssh
set system services telnet
set system services web-management http
set system services web-management https system-generated-certificate
set system ntp server 202.118.1.46
set system ntp source-address 172.16.1.1 <<<<lo0 IP address
set security nat source rule-set HOST-NAT from zone junos-host
set security nat source rule-set HOST-NAT to routing-instance vr
set security nat source rule-set HOST-NAT rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set HOST-NAT rule 1 then source-nat interface
set security policies default-policy permit-all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone mgmt interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone mgmt interfaces lo0.0 host-inbound-traffic protocols all
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.2/24
set interfaces fe-0/0/3 unit 0 family inet address 80.10.115.1/24
set interfaces lo0 unit 0 family inet address 172.16.1.1/32
set routing-options static route 0.0.0.0/0 next-table vr.inet.0
set policy-options policy-statement Import-Lo0-Route term 1 from instance master
set policy-options policy-statement Import-Lo0-Route term 1 from protocol direct
set policy-options policy-statement Import-Lo0-Route term 1 then accept
set policy-options policy-statement Import-Lo0-Route term default then reject
set routing-instances vr instance-type virtual-router
set routing-instances vr interface ge-0/0/1.0
set routing-instances vr interface fe-0/0/3.0
set routing-instances vr routing-options static route 0.0.0.0/0 next-hop 80.10.115.254
set routing-instances vr routing-options instance-import Import-Lo0-Route
Verification
SRX_NTP_C:
[edit]
root# run set date ntp
21 Apr 02:28:58 ntpdate[6878]: step time server 192.168.1.2 offset 0.000959 sec
root# run show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*192.168.1.2 202.118.1.46 2 - 55 64 37 4.418 -0.131 0.736