This article explains why the clock may be unsynchronized between the Routing Engine (RE) and the data-plane modules (SPC, SPU, CPP) on the High-End SRX device, when no external NTP servers are used. It also provides a workaround that helps to keep all the modules synchronized.
When an external NTP server is not configured on the High-End SRX device, the clock on the data-plane modules (SPC, SPU, CPP) may be not synchronized with the Routing Engine (RE).
This may result in issues with some functionality, such as certificate-based authentication and other PKI-based services.
In addition, the lack of clock synchronization between modules makes troubleshooting significantly more difficult, due to inconsistent time stamps in the log files.
When no NTP servers are configured on the High-End SRX, the clock setting on all the data-plane modules (SPC, SPU, CPP) is reset to a default value during every reboot of the corresponding module (including the entire chassis reboot).
When at least one NTP server is configured, the clock setting is synchronized with the Routing Engine (RE) during every reboot of the corresponding module.
If using an external NTP server is not an option, you can configure the Routing Engine to act as a local NTP server for the data-plane modules (SPC, SPU, CPP).
In the following example, we can see that the clock setting is incorrect on the SPU, because it was reset to the default value during the last reboot:
root@tuong% srx-cprod.sh -s spu -c "show ver" ======== Start SPU1.0, node0.fpc1.pic0, spu ======== Juniper Embedded Microkernel Version 11.4R9.4 Built by builder on 2013-08-22 04:18:32 UTC Copyright (C) 1998-2013, Juniper Networks, Inc. All rights reserved. BSD platform (XLR processor, 4095MB memory, 16384KB flash) Current time : Thu Jul 2 12:01:18 1987 <<<<< Incorrect date/time Elapsed time : 0+00:00:23 ======== End SPU1.0, node0.fpc1.pic0 ========
At the same time, the RE shows the following correct clock setting:
root@tuong> show system uptime node0: -------------------------------------------------------- Current time: 2013-12-06 13:55:22 UTC <<<<< Correct date/time System booted: 2013-12-06 13:47:45 UTC (00:07:37 ago) Protocols started: 2013-12-06 13:49:50 UTC (00:05:32 ago) Last configured: 2013-12-06 13:45:33 UTC (00:09:49 ago) by root 1:55PM up 8 mins, 1 user, load averages: 0.16, 0.48, 0.34
We can configure the RE to act as a local NTP server as follows:
{primary:node0}[edit]
root@tuong# set system ntp server 127.0.0.1
{primary:node0}[edit]
root@tuong# show system ntp
server 127.0.0.1;
During the next reboot, the clock setting on all the data-plane modules will be synchronized with the RE. We can see the result on the same SPU, after the reboot:
root@tuong% srx-cprod.sh -s spu -c "show ver" ======== Start SPU1.0, node0.fpc1.pic0, spu ======== Juniper Embedded Microkernel Version 11.4R9.4 Built by builder on 2013-08-22 04:18:32 UTC Copyright (C) 1998-2013, Juniper Networks, Inc. All rights reserved. BSD platform (XLR processor, 4095MB memory, 16384KB flash) Current time : Fri Dec 6 14:11:45 2013 <<<<< Correct date/time Elapsed time : 0+00:00:26 ======== End SPU1.0, node0.fpc1.pic0 ========
Note: The synchronization will only happen during the reboot of the corresponding module. There will be no periodic synchronization. Therefore, a certain time drift is still possible between the RE and the data-plane modules after the system remains up for a long time. Using an external NTP server will solve this issue, since the RE and the data-plane modules will be synchronized periodically.