Knowledge Search


×
 

[EX] Time is not synchronizing with NTP due to a filter applied as input on the loopback interface

  [KB33873] Show Article Properties


Summary:

This article explains how to synchronize the time with NTP on a switch when it fails because of a firewall filter protecting the RE.

Symptoms:

Problem description:

Whenever the EX4600 receives the NTP packet from NTP server, it then internally forwards it with source and destination addresses of the loopback's interface IP to the routing engine, as shown below:

Name of protocol: UDP, Packet Length: 40, Source address: 10.35.255.0:61769, Destination address: 10.35.255.0:123
Name of protocol: UDP, Packet Length: 40, Source address: 10.35.255.0:61769, Destination address: 10.35.255.0:123

NTP is not synchronizing the date and time even if you have a term explicitly allowing the NTP server.
 

Topology:

[EX4600] lo0(10.35.255.0 )------------- NTP-SERVER (10.35.255.5)
 

Configuration:

1. NTP configuration:

set system ntp server 10.35.255.5
set system ntp source-address 10.35.255.0

2. Loopback interface configuration:

set interfaces lo0 unit 92 family inet filter input protect-re
set interfaces lo0 unit 92 family inet address 10.35.255.0/32

3. Existing firewall to protect routing engine:

set firewall family inet filter protect-re term ntp-addresses from source-prefix-list ntp-addresses
set firewall family inet filter protect-re term ntp-addresses from protocol udp
set firewall family inet filter protect-re term ntp-addresses from destination-port 123
set firewall family inet filter protect-re term ntp-addresses then count NTP-COUNTER
set firewall family inet filter protect-re term ntp-addresses then accept
set policy-options prefix-list ntp-addresses 10.85.130.130/32
set policy-options prefix-list ntp-addresses 10.35.255.0/32
set policy-options prefix-list ntp-addresses 10.35.255.5/32


NTP Status:

show ntp status
localhost: timed out, nothing received
***Request timed out

show ntp associations
localhost: timed out, nothing received
***Request timed out
show system uptime
fpc0:

--------------------------------------------------------------------------
Current time: 2019-01-28 12:22:25 PST
Time Source:  LOCAL CLOCK

Solution:

Add a new term to allow the traffic for NTP from its own loopback interface:

set firewall family inet filter protect-re term lo0 from source-address 10.35.255.0/32
set firewall family inet filter protect-re term lo0 then accept
commit

 

Then the time will synchronize:

run show system uptime
 
fpc0:
--------------------------------------------------------------------------
Current time: 2019-01-28 12:23:52 PST
Time Source:  NTP CLOCK
 
  
show ntp status
 
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Mon Dec 17 05:04:25  2018 (1)", processor="i386",
system="JUNOS18.4R1.8", leap=00, stratum=6, precision=-20,
rootdelay=187.076, rootdispersion=150.017, peer=13484,
refid=10.35.255.5,
 
 
show ntp associations
 
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*10.35.255.5     10.85.130.130    5 -  195  512  377   10.674    1.572   0.786
 
Related Links: