Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Time is not synchronizing with NTP due to a filter applied as input on the loopback interface

0

1

Article ID: KB33873 KB Last Updated: 21 Apr 2019Version: 1.0
Summary:

This article explains how to synchronize the time with NTP on a switch when it fails because of a firewall filter protecting the RE.

Symptoms:

Problem description:

Whenever the EX4600 receives the NTP packet from NTP server, it then internally forwards it with source and destination addresses of the loopback's interface IP to the routing engine, as shown below:

Name of protocol: UDP, Packet Length: 40, Source address: 10.35.255.0:61769, Destination address: 10.35.255.0:123
Name of protocol: UDP, Packet Length: 40, Source address: 10.35.255.0:61769, Destination address: 10.35.255.0:123

NTP is not synchronizing the date and time even if you have a term explicitly allowing the NTP server.
 

Topology:

[EX4600] lo0(10.35.255.0 )------------- NTP-SERVER (10.35.255.5)
 

Configuration:

1. NTP configuration:

set system ntp server 10.35.255.5
set system ntp source-address 10.35.255.0

2. Loopback interface configuration:

set interfaces lo0 unit 92 family inet filter input protect-re
set interfaces lo0 unit 92 family inet address 10.35.255.0/32

3. Existing firewall to protect routing engine:

set firewall family inet filter protect-re term ntp-addresses from source-prefix-list ntp-addresses
set firewall family inet filter protect-re term ntp-addresses from protocol udp
set firewall family inet filter protect-re term ntp-addresses from destination-port 123
set firewall family inet filter protect-re term ntp-addresses then count NTP-COUNTER
set firewall family inet filter protect-re term ntp-addresses then accept
set policy-options prefix-list ntp-addresses 10.85.130.130/32
set policy-options prefix-list ntp-addresses 10.35.255.0/32
set policy-options prefix-list ntp-addresses 10.35.255.5/32


NTP Status:

show ntp status
localhost: timed out, nothing received
***Request timed out

show ntp associations
localhost: timed out, nothing received
***Request timed out
show system uptime
fpc0:

--------------------------------------------------------------------------
Current time: 2019-01-28 12:22:25 PST
Time Source:  LOCAL CLOCK

Solution:

Add a new term to allow the traffic for NTP from its own loopback interface:

set firewall family inet filter protect-re term lo0 from source-address 10.35.255.0/32
set firewall family inet filter protect-re term lo0 then accept
commit

 

Then the time will synchronize:

run show system uptime
 
fpc0:
--------------------------------------------------------------------------
Current time: 2019-01-28 12:23:52 PST
Time Source:  NTP CLOCK
 
  
show ntp status
 
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Mon Dec 17 05:04:25  2018 (1)", processor="i386",
system="JUNOS18.4R1.8", leap=00, stratum=6, precision=-20,
rootdelay=187.076, rootdispersion=150.017, peer=13484,
refid=10.35.255.5,
 
 
show ntp associations
 
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*10.35.255.5     10.85.130.130    5 -  195  512  377   10.674    1.572   0.786
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search