JUNOS TIP: Keeping routers (and their log timestamps) synchronized with NTP, and the use of lo0-based routing engine protection firewall filters, are two best practices that are often deployed together.
Another one of NTP’s not-so-well-understood nuances is its need to use the 127.0.0.1 loopback address when communicating with the local daemon to obtain server association status. Make sure your protecting filters allow such traffic, or you’ll get an error rather than the expected status display.
Scenario: You have configured Junos for NTP, and while actual clock synchronization appears to be working fine, you note that the "show ntp associations" command is timing-out:
user@host# show ntp associations
localhost: timed out, nothing received
***Request timed out
The solution is to make sure your routing-engine protection filter permits internal communications with the ntp daemon:
[edit]
user@host# show firewall family inet filter ROUTER-ACCESS term NTP-REJECT
from {
source-prefix-list {
default-prefix;
NTP-ROUTER-ACCESS except;
}
protocol udp;
port ntp;
}
then {
discard;
}
user@host# show policy-options prefix-list NTP-ROUTER-ACCESS
10.0.3.1/32;
10.0.3.99/32;
Modify the NTP-ROUTER-ACCESS prefix list to include the loopback address, like this:
[edit policy-options prefix-list ntp-router-access]
user@host# show | compare
+ 127.0.0.1/32;
user@host# run show ntp associations
remote refid st t when poll reach delay offset jitter
==========================================
*10.0.3.99 130.149.17.8 2 u 29 64 377 0.624 -0.427 0.280
+10.0.3.1 192.36.143.150 2 - 24 128 377 2.343 2.014 0.168
No comments:
Post a Comment