[ntp:questions] Juniper NTP with Cisco problems

PJ Balsley pbalsley at ragingwire.com
Tue Jul 9 22:13:47 UTC 2013


My apologies in advance for a large post, but I wanted to be detailed.

 

I've got a strange NTP issue that I've been trying to solve for a while.
I also have a support case open with the vendor too, (over 8 months).

 

I have a pair of cisco routers acting as Stratum 2 NTP servers in my
network. They sync to some public Stratum 1 systems and deliver time to
all servers and routers inside the network. This makes NTP access rules
easier etc...

 

All devices sync well to the cisco NTP routers: linux systems, windows
systems, cisco devices, but NOT Juniper devices.

 

I have about 6 different Juniper models (routers, switches, and
firewalls) in the network that will not sync NTP time with the cisco
routers.  They WILL sync time with a public NTP server, but I don't want
to do that in the design.

 

I have checked that I have correct firewall rules and network path in
the network. I have done several packet captures to see that NTP packets
are flowing from the juniper to the cisco and back again.

 

Ping, traceroute, latency, and packetloss all look good.

 

I am able to set the date on the Juniper devices via a "set date ntp
1.1.1.1" command. That will correctly set the date and sync it once with
the NTP cisco router. That command is basically a ntpdate command.  So I
know the NTP communication path is good.

 

 

 

 

=-=-=-=-=- Cisco NTP server config settings -=-=-=-=-=

These are the ntp router settings used by my cisco routers to act as
stratum 2 NTP devices for the rest of my network. I have sanitized some
of the data for privacy. 

 

I have two cisco routers, "1.1.1.1 and 1.1.1.2"

Both use the same configs and sync from an external Stratum 1 server,
then peer with each other.

 

 

ntp logging

ntp source Loopback100

ntp access-group peer 90

ntp access-group serve 91

ntp master 2

ntp update-calendar

ntp max-associations 2000

ntp peer 1.1.1.2 source Loopback100    <-- peer with second cisco
router.

ntp server 192.5.41.209 source Loopback100 prefer

 

access-list 90 remark << Allow NTP stratum 1 sync >>

access-list 90 permit 192.5.41.209

access-list 90 permit 1.1.1.2

 

access-list 91 remark << Allow NTP peer routers to sync >>

access-list 91 permit 10.0.0.0 0.255.255.255 log   <-- allow all my
internal network to sync NTP.

access-list 91 deny   any log

 

!- I have removed the ACLs also to check that they are not blocking any
NTP data as well.

 

 

show ntp associations

      address         ref clock     st  when  poll reach  delay  offset
disp

+~1.1.1.2           192.5.41.209     1   110   256  377     0.5   -0.05
0.7

+~127.127.7.1      .LOCL.            1     3    64  377     0.0    0.00
0.0

*~192.5.41.209     .IRIG.            1   939  1024  377    84.8    1.86
0.4

* master (synced), # master (unsynced), + selected, - candidate, ~
configured

 

 

 

 

=-=-=-=-=- Juniper device ntp settings -=-=-=-=-=

 

set system ntp boot-server 1.1.1.1

set system ntp server 1.1.1.1 prefer

set system ntp server 1.1.1.2

set system ntp source-address 10.0.0.23    <-- my network IP for this
device.

 

 

show ntp associations 

     remote           refid      st t when poll reach   delay   offset
jitter

========================================================================
======

1.1.1.2    192.5.41.209          2 -  572 1024  377    0.000    0.000
4000.00

1.1.1.1    192.5.41.209          2 -  641 1024  377    0.000    0.000
4000.00

 

 

show ntp status          

 

status=c011 sync_alarm, sync_unspec, 1 event, event_restart,

version="ntpd 4.2.0-a Sat Nov 19 06:50:15 UTC 2011 (1)",

processor="powerpc", system="JUNOS10.4R8.5", leap=11, stratum=16,

precision=-18, rootdelay=0.000, rootdispersion=142342.440, peer=0,

refid=INIT, reftime=00000000.00000000  Wed, Feb  6 2036 22:28:16.000,

poll=4, clock=d586cd8e.774dd173  Tue, Jul  9 2013 10:57:34.466, state=1,

offset=0.000, frequency=-12.984, jitter=0.004, stability=0.000

 

 

ntpq> association

ind assID status  conf reach auth condition  last_event cnt

===========================================================

  1 64948  b014   yes   yes  none    reject   reachable  1

  2 64949  b014   yes   yes  none    reject   reachable  1

 

ntpq> rl 64948

status=b014 reach, conf, 1 event, event_reach,

srcadr=1.1.1.1, srcport=123, dstadr=0.0.0.0, dstport=123, leap=00,

stratum=2, precision=-32, rootdelay=0.946, rootdispersion=0.961,

refid=192.5.41.209, reach=377, unreach=0, hmode=3, pmode=4, hpoll=10,

ppoll=10, flash=00 ok, keyid=0, ttl=32, offset=0.000, delay=0.000,

dispersion=15937.500, jitter=4000.000,

reftime=d586ca25.7a3cb409  Tue, Jul  9 2013 10:43:01.477,

org=d586cb1d.eb8614e9  Tue, Jul  9 2013 10:47:09.920,

rec=d586cb19.cd8277ff  Tue, Jul  9 2013 10:47:05.802,

xmt=d586cb19.cca13483  Tue, Jul  9 2013 10:47:05.799,

filtdelay=     3.43    3.65    1.64    0.99    0.99    4.42    6.34
2.12,

filtoffset= 4118.96 4118.82 4117.27 4116.60 4116.10 4114.26 4117.08
4114.80,

filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
16000.0

 

 

!- here I force update the time of the juniper with the set date ntp
command

set date ntp 1.1.1.1

9 Jul 11:03:31 ntpdate[74347]: step time server 1.1.1.1 offset 4.118177
sec

 

!- now show the NTP association to see that the filtoffset is reset.

ntpq> association

ind assID status  conf reach auth condition  last_event cnt

===========================================================

  1 30188  b014   yes   yes  none    reject   reachable  1

  2 30189  b014   yes   yes  none    reject   reachable  1

ntpq> 

 

ntpq> rl 30188

status=b014 reach, conf, 1 event, event_reach,

srcadr=1.1.1.1, srcport=123, dstadr=0.0.0.0, dstport=123, leap=00,

stratum=2, precision=-32, rootdelay=1.236, rootdispersion=0.748,

refid=192.5.41.209, reach=001, unreach=1, hmode=3, pmode=4, hpoll=6,

ppoll=6, flash=00 ok, keyid=0, ttl=32, offset=0.000, delay=0.000,

dispersion=15937.500, jitter=4000.000,

reftime=d586ceca.6fe49f04  Tue, Jul  9 2013 11:02:50.437,

org=d586cf02.653e2e69  Tue, Jul  9 2013 11:03:46.395,

rec=d586cf02.65b7f74a  Tue, Jul  9 2013 11:03:46.397,

xmt=d586cf02.6504c416  Tue, Jul  9 2013 11:03:46.394,

filtdelay=     2.73    6.43    1.35    6.43    0.60    5.99    7.85
1.42,

filtoffset=   -0.49    2.58    0.33    2.72    0.08    2.68    3.65
0.26,

filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
16000.0

 

 

 

> ping 1.1.1.1

PING 1.1.1.1 (1.1.1.1): 56 data bytes

64 bytes from 1.1.1.1: icmp_seq=0 ttl=253 time=1.185 ms

64 bytes from 1.1.1.1: icmp_seq=1 ttl=253 time=5.780 ms

64 bytes from 1.1.1.1: icmp_seq=2 ttl=253 time=8.658 ms

64 bytes from 1.1.1.1: icmp_seq=3 ttl=253 time=5.210 ms

64 bytes from 1.1.1.1: icmp_seq=4 ttl=253 time=5.405 ms

64 bytes from 1.1.1.1: icmp_seq=5 ttl=253 time=1.249 ms

64 bytes from 1.1.1.1: icmp_seq=6 ttl=253 time=7.763 ms

64 bytes from 1.1.1.1: icmp_seq=7 ttl=253 time=1.756 ms

^C

--- 1.1.1.1 ping statistics ---

8 packets transmitted, 8 packets received, 0% packet loss

round-trip min/avg/max/stddev = 1.185/4.626/8.658/2.735 ms

 

 

 

Like I said I have an open ticket with Juniper, but they have failed to
figure this out and I don't think they are even trying at this point.

 

They have reproduced this affect in their lab pointing back to my cisco
routers.

 

Any help would be great!

 

PJ



More information about the questions mailing list