Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[M/MX/ACX] NTP authentication configured globally sends authenticated packet to a single server

0

1

Article ID: KB36283 KB Last Updated: 15 Nov 2020Version: 1.0
Summary:

The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients so that users can correlate events when they receive system logs and other time-specific events from multiple network devices.

Time synchronization can be authenticated to ensure that the local router or switch obtains its time services only from known sources. However, by default, network time synchronization is unauthenticated wherein the system will synchronize to whatever system appears to have the most accurate time. ‚Äč

Authentication is the line of defense used by NTP to thwart tampering of timestamps logged by devices. Contrary to common misconception, the purpose of NTP authentication is to verify a time source, not a client. Also, when multiple servers are used for this purpose, it is done so in order to maintain redundancy so that there is no single point of failure that affects the system at any time. Given this, it is recommended that users configure authentication of network time services to take advantage of the benefits.

This article details the recommended NTP configuration to use when there are multiple NTP servers. 

 

Symptoms:

Where multiple NTP servers are used for clock synchronization, after configuring the authentication key for a single server, the clock gets synched and starts sending authenticated packets to a single server. This situation arises due to NTP being configured globally. This, in turn, redirects the flow of all authenticated packets towards a single server and does not serve redundancy. 

 

Cause:

The above situation can arise if the following two conditions are met:

  1. NTP authentication is configured and applied globally.

  2. More than one NTP servers are configured.

 

Solution:

When there are multiple servers, to prevent redirection of all authenticated packets to a single server, configure individual keys on each NTP server. 

For configuration details, refer to Configuring the NTP Time Server and Time Services.

A snippet of configuration with two NTP servers is displayed below:

jtac@mx104# show system ntp
Feb 25 13:56:59 
boot-server 192.168.1.1;
authentication-key 1 type md5 value "$ABC123"; ## SECRET-DATA
server 192.168.1.1 key 1 prefer; ## SECRET-DATA
server 192.168.10.1 key 1 prefer; ## SECRET-DATA
trusted-key 1;
source-address 10.64.229.136;

jtac@mx104# run show configuration system ntp | display set
Feb 25 14:08:18
set system ntp boot-server 192.168.1.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$ABC123"
set system ntp server 192.168.1.1 key 1
set system ntp server 192.168.1.1 prefer
set system ntp server 192.168.10.1 key 1
set system ntp server 192.168.10.1 prefer
set system ntp trusted-key 1
set system ntp source-address 10.64.229.136

jtac@mx104# run show ntp associations 
Feb 25 14:09:10
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
192.168.1.1     .GPGL.           1 -    5   64    1    0.002  404.719   0.014
*192.168.10.1     .GPS.            1 -    4   64    1    0.501   -0.025   0.054


jtac@mx104# run show ntp associations
Feb 25 14:22:18
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
x192.168.1.1     .GPGL.           1 -   22   64  377    0.002  404.481   0.080
x192.168.10.1     .GPS.            1 -   14   64  377    0.487   -0.214   0.110

{MASTER}[edit]
jtac@mx104# 
jtac@mx104# run show ntp associations
Feb 25 14:22:19
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
x192.168.1.1     .GPGL.           1 -   23   64  377    0.002  404.481   0.080
x192.168.10.1     .GPS.            1 -   15   64  377    0.487   -0.214   0.110

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search