Forum Discussion

Ctan's avatar
Ctan
Icon for Nimbostratus rankNimbostratus
Jun 23, 2022

Replying to NTP requests from a Virtual Server IP

Hi, I am trying to configure the F5 to function as a NTP server, but through a virtual server instead of a self IP.

The KB only has information about setting it up on a self IP.

Is this possible?

https://support.f5.com/csp/article/K14120

  • Big-IP as NTP server - DevCentral (f5.com)

    may be useful... In the above use case, it's a Performance (layer 4), UDP virtual server with Pool created consisting of NTP servers. If things don't work, try toggling "Port translation", SNAT= Automap, and take tcpdumps at the BIG-IP and NTP servers to verify requests are reaching. Hope it works out.

    • Ctan's avatar
      Ctan
      Icon for Nimbostratus rankNimbostratus

      Good stuff.. but unfortunately not quite the use case I'm looking for.

      Due to the security requirements of our environment the NTP servers are unreachable from the data plane of the F5. So the goal was to hopefully have the F5 sync up to our stratum1 servers via the management interface, then service requests from clients via a VS.

      Is there a way to have the F5 process NTP requests from a VS or to redirect requests from into the VS into a self IP?

       

      • Kin's avatar
        Kin
        Icon for Employee rankEmployee

        I may not have connected the dots fully on the security requirements, but to the last qn: The system does not allow us to create a self IP and add it as a pool member. So one way to direct requests from a VS to a self IP is through a Forwarding virtual server with the same IP address as the SelfIP. The forwarding VS can have the configuration described in the UDP VS in Overview of IP forwarding virtual servers (f5.com)

  • Hi,

    The way i read the article is that the f5 is setup as a ntp client to sync its time.
    Not sure if the firewall will be open to allow udp 123 incoming to a self-ip address or vip.
    And if you can setup a vip, you'll some how need to point the pool at itself for time time.
    Must admit not to sure how to do this.
    My implementions of NTP have been on simple linux servers 3-4 in a suitable location so they are secure and auditable by the security team for the log auditing policies.
    Have you got any way to sping up 3-4 small linux boxes and use those instead?