My apologies in advance for a large post, but I wanted to be detailed.
I've got a strange NTP issue that I've been trying to solve for a while.
I also have a support case open with the vendor too, (over 8 months).
I have a pair of cisco routers acting as Stratum 2 NTP servers in my
network. They sync to some public Stratum 1 systems and deliver time to
all servers and routers inside the network. This makes NTP access rules
easier etc...
All devices sync well to the cisco NTP routers: linux systems, windows
systems, cisco devices, but NOT Juniper devices.
I have about 6 different Juniper models (routers, switches, and
firewalls) in the network that will not sync NTP time with the cisco
routers. They WILL sync time with a public NTP server, but I don't want
to do that in the design.
I have checked that I have correct firewall rules and network path in
the network. I have done several packet captures to see that NTP packets
are flowing from the juniper to the cisco and back again.
Ping, traceroute, latency, and packetloss all look good.
I am able to set the date on the Juniper devices via a "set date ntp
1.1.1.1" command. That will correctly set the date and sync it once with
the NTP cisco router. That command is basically a ntpdate command. So I
know the NTP communication path is good.
=-=-=-=-=- Cisco NTP server config settings -=-=-=-=-=
These are the ntp router settings used by my cisco routers to act as
stratum 2 NTP devices for the rest of my network. I have sanitized some
of the data for privacy.
I have two cisco routers, "1.1.1.1 and 1.1.1.2"
Both use the same configs and sync from an external Stratum 1 server,
then peer with each other.
ntp logging
ntp source Loopback100
ntp access-group peer 90
ntp access-group serve 91
ntp master 2
ntp update-calendar
ntp max-associations 2000
ntp peer 1.1.1.2 source Loopback100 <-- peer with second cisco
router.
ntp server 192.5.41.209 source Loopback100 prefer
access-list 90 remark << Allow NTP stratum 1 sync >>
access-list 90 permit 192.5.41.209
access-list 90 permit 1.1.1.2
access-list 91 remark << Allow NTP peer routers to sync >>
access-list 91 permit 10.0.0.0 0.255.255.255 log <-- allow all my
internal network to sync NTP.
access-list 91 deny any log
!- I have removed the ACLs also to check that they are not blocking any
NTP data as well.
show ntp associations
address ref clock st when poll reach delay offset
disp
+~1.1.1.2 192.5.41.209 1 110 256 377 0.5 -0.05
0.7
+~127.127.7.1 .LOCL. 1 3 64 377 0.0 0.00
0.0
*~192.5.41.209 .IRIG. 1 939 1024 377 84.8 1.86
0.4
* master (synced), # master (unsynced), + selected, - candidate, ~
configured
=-=-=-=-=- Juniper device ntp settings -=-=-=-=-=
set system ntp boot-server 1.1.1.1
set system ntp server 1.1.1.1 prefer
set system ntp server 1.1.1.2
set system ntp source-address 10.0.0.23 <-- my network IP for this
device.
show ntp associations
remote refid st t when poll reach delay offset
jitter
========================================================================
======
1.1.1.2 192.5.41.209 2 - 572 1024 377 0.000 0.000
4000.00
1.1.1.1 192.5.41.209 2 - 641 1024 377 0.000 0.000
4000.00
show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Sat Nov 19 06:50:15 UTC 2011 (1)",
processor="powerpc", system="JUNOS10.4R8.5", leap=11, stratum=16,
precision=-18, rootdelay=0.000, rootdispersion=142342.440, peer=0,
refid=INIT, reftime=00000000.00000000 Wed, Feb 6 2036 22:28:16.000,
poll=4, clock=d586cd8e.774dd173 Tue, Jul 9 2013 10:57:34.466, state=1,
offset=0.000, frequency=-12.984, jitter=0.004, stability=0.000
ntpq> association
ind assID status conf reach auth condition last_event cnt
===========================================================
1 64948 b014 yes yes none reject reachable 1
2 64949 b014 yes yes none reject reachable 1
ntpq> rl 64948
status=b014 reach, conf, 1 event, event_reach,
srcadr=1.1.1.1, srcport=123, dstadr=0.0.0.0, dstport=123, leap=00,
stratum=2, precision=-32, rootdelay=0.946, rootdispersion=0.961,
refid=192.5.41.209, reach=377, unreach=0, hmode=3, pmode=4, hpoll=10,
ppoll=10, flash=00 ok, keyid=0, ttl=32, offset=0.000, delay=0.000,
dispersion=15937.500, jitter=4000.000,
reftime=d586ca25.7a3cb409 Tue, Jul 9 2013 10:43:01.477,
org=d586cb1d.eb8614e9 Tue, Jul 9 2013 10:47:09.920,
rec=d586cb19.cd8277ff Tue, Jul 9 2013 10:47:05.802,
xmt=d586cb19.cca13483 Tue, Jul 9 2013 10:47:05.799,
filtdelay= 3.43 3.65 1.64 0.99 0.99 4.42 6.34
2.12,
filtoffset= 4118.96 4118.82 4117.27 4116.60 4116.10 4114.26 4117.08
4114.80,
filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
16000.0
!- here I force update the time of the juniper with the set date ntp
command
set date ntp 1.1.1.1
9 Jul 11:03:31 ntpdate[74347]: step time server 1.1.1.1 offset 4.118177
sec
!- now show the NTP association to see that the filtoffset is reset.
ntpq> association
ind assID status conf reach auth condition last_event cnt
===========================================================
1 30188 b014 yes yes none reject reachable 1
2 30189 b014 yes yes none reject reachable 1
ntpq>
ntpq> rl 30188
status=b014 reach, conf, 1 event, event_reach,
srcadr=1.1.1.1, srcport=123, dstadr=0.0.0.0, dstport=123, leap=00,
stratum=2, precision=-32, rootdelay=1.236, rootdispersion=0.748,
refid=192.5.41.209, reach=001, unreach=1, hmode=3, pmode=4, hpoll=6,
ppoll=6, flash=00 ok, keyid=0, ttl=32, offset=0.000, delay=0.000,
dispersion=15937.500, jitter=4000.000,
reftime=d586ceca.6fe49f04 Tue, Jul 9 2013 11:02:50.437,
org=d586cf02.653e2e69 Tue, Jul 9 2013 11:03:46.395,
rec=d586cf02.65b7f74a Tue, Jul 9 2013 11:03:46.397,
xmt=d586cf02.6504c416 Tue, Jul 9 2013 11:03:46.394,
filtdelay= 2.73 6.43 1.35 6.43 0.60 5.99 7.85
1.42,
filtoffset= -0.49 2.58 0.33 2.72 0.08 2.68 3.65
0.26,
filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
16000.0
> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=253 time=1.185 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=253 time=5.780 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=253 time=8.658 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=253 time=5.210 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=253 time=5.405 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=253 time=1.249 ms
64 bytes from 1.1.1.1: icmp_seq=6 ttl=253 time=7.763 ms
64 bytes from 1.1.1.1: icmp_seq=7 ttl=253 time=1.756 ms
^C
--- 1.1.1.1 ping statistics ---
8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.185/4.626/8.658/2.735 ms
Like I said I have an open ticket with Juniper, but they have failed to
figure this out and I don't think they are even trying at this point.
They have reproduced this affect in their lab pointing back to my cisco
routers.
Any help would be great!
PJ
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
