https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3334575#M1064322 <P>It must be a bug i have the same issue.</P> Tue, 20 Feb 2018 20:11:59 GMT Tim Lillis 2018-02-20T20:11:59Z https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3322423#M1064318 <P>Hello!</P> <P>&nbsp;</P> <P>in Firepower Threat Defense Device Manager you could configure two things:</P> <P>#1: NTP Servers to use</P> <P>#2: Management interface: use data interface</P> <P>&nbsp;</P> <P>I configured an Identity Realm which works fine on the data interface, but not the NTP. The NTP Service is not working over the data interface in my environment. I am using standard NTP pool servers, nothing special.</P> <P>&nbsp;</P> <P>I figured out, that the implementation does not support using the data interface for contacting the NTP Servers. It seems so. I looked in the logfiles and found this:</P> <P>&nbsp;</P> <P>2018-01-31 10:35:44 ntpd[&lt;PID&gt;]: Error resolving 0.pool.ntp.org: Name or service not known (-2)<BR />2018-01-31 10:35:44 ntpd[&lt;PID&gt;]: 31 Jan 10:35:43 ntpdate[5165]: Can't find host 0.pool.ntp.org: Name or service not known (-2)<BR />2018-01-31 10:35:44 ntpd[&lt;PID&gt;]: 31 Jan 10:35:43 ntpdate[5165]: <STRONG>no servers can be used, exiting</STRONG><BR />2018-01-31 10:35:46 ntpd[&lt;PID&gt;]: <STRONG>Found AF_INET 192.168.45.45 on interface br1</STRONG> at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf.pm line 962.<BR />2018-01-31 10:35:46 ntpd[&lt;PID&gt;]: <STRONG>Using interface br1</STRONG> at /ngfw/usr/local/sf/bin/ntpd.pl line 229.</P> <P>&nbsp;</P> <P>I checked ifconfig and confirmed br1 is the management interface.</P> <P>&nbsp;</P> <P>So I digged into the file "/ngfw/usr/local/sf/bin/ntpd.pl"and found the part which selects the interface to communicate with the NTP Servers. I found this code part:</P> <P>&nbsp;</P> <PRE><STRONG> #This needs some update - probably this interface should be configurable</STRONG> #Actually the only thing it does - it prevents ntpd usage of wild binding overall. my $mgmt = SF::Util::get_management_interface(); my $mgmt_ipv4 = SF::NetworkConf::<STRONG>getManagementInterface4proto("AF_INET")</STRONG>; if($mgmt_ipv4) { warn "Using interface $mgmt_ipv4"; $mgmt = $mgmt_ipv4; }</PRE> <P><BR />It seems to be an open development. Can anybody confirm my understanding?</P> <P>&nbsp;</P> <P>also I tried to run a ntp Server on the Identity Realm server, as I am sure it is reachable, but this does not work also.</P> <P>&nbsp;</P> <P>Also when I use "show ntp" or "system support ntp" it shows me the following:</P> <P>"NTP not configured on this system.<BR />Please configure and apply System Policy from managing Defense Center."</P> <P>&nbsp;</P> <P>when I repeat the commands, I will get an another result like this:</P> <P>&nbsp;</P> <PRE>&gt; system support ntp NTP not configured on this system. Please configure and apply System Policy from managing Defense Center. &gt; system support ntp NTP Server : 2a02:c205:2009:8290::1 (2009) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) NTP Server : 138.201.135.108 (srv23.globale-gruppe.com) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) NTP Server : 192.168.2.8 (Cannot Resolve) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) Results of 'ntpq -pn' remote : 192.168.2.8 refid : .INIT. st : 16 t : u when : - poll : 64 reach : 0 delay : 0.000 offset : 0.000 jitter : 0.000 remote : 138.201.135.108 refid : .INIT. st : 16 t : u when : - poll : 64 reach : 0 delay : 0.000 offset : 0.000 jitter : 0.000 remote : 2a02:c205:2009: refid : .INIT. st : 16 t : u when : - poll : 64 reach : 0 delay : 0.000 offset : 0.000 jitter : 0.000 Results of ntpq -c 'rv' associd=0 status=c016 leap_alarm, sync_unspec, 1 event, restart, version="ntpd 4.2.8p9@1.3265-o Thu Aug 31 18:55:42 UTC 2017 (1)", processor="x86_64", system="Linux/3.10.62-ltsi-WR6.0.0.29_standard", leap=11, stratum=16, precision=-21, rootdelay=0.000, rootdisp=0.540, refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 6:28:16.000, clock=de1c2a58.eeea0404 Wed, Jan 31 2018 11:43:20.933, peer=0, tc=3, mintc=3, offset=0.000000, frequency=-66.082, sys_jitter=0.000000, clk_jitter=0.000, clk_wander=0.000 Results of 'ntpq -c as' ind : 1 assid : 13403 /ngfw/usr/bin/ntpq: read: Connection refused /ngfw/usr/bin/ntpq: read: Connection refused /ngfw/usr/bin/ntpq: read: Connection refused status : 8011 conf : yes reach : no auth : none condition : reject last_event : mobilize cnt : 1 Results of /ngfw/usr/bin/ntpq -c "rv " ind : 2 assid : 13404 status : 8011 conf : yes reach : no auth : none condition : reject last_event : mobilize cnt : 1 Results of /ngfw/usr/bin/ntpq -c "rv " ind : 3 assid : 13405 status : 8011 conf : yes reach : no auth : none condition : reject last_event : mobilize cnt : 1 Results of /ngfw/usr/bin/ntpq -c "rv " &gt;</PRE> <PRE>&gt; show ntp NTP Server : 2a01:4f8:210:5323::2 (210) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) NTP Server : 89.163.241.149 (jdtec.eu) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) NTP Server : 192.168.2.8 Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) </PRE> <P>What can I do to get the NTP running without using the management interface?</P> <P>&nbsp;</P> <P>Cheers</P> <P>Leon</P> Fri, 21 Feb 2020 15:14:49 GMT https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3322423#M1064318 Leon1 2020-02-21T15:14:49Z https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3333819#M1064320 <P>Hey Leon,</P> <P>&nbsp;</P> <P>Did you ever get this figured out?&nbsp; I am having the same issue.</P> Mon, 19 Feb 2018 19:14:10 GMT https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3333819#M1064320 ledzepp817 2018-02-19T19:14:10Z https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3334575#M1064322 <P>It must be a bug i have the same issue.</P> Tue, 20 Feb 2018 20:11:59 GMT https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3334575#M1064322 Tim Lillis 2018-02-20T20:11:59Z https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3335876#M1064324 No. NTP is still grey in Device Manager. I am unable to achieve anything. Not by CLI or GUI. Thu, 22 Feb 2018 13:51:13 GMT https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3335876#M1064324 Leon1 2018-02-22T13:51:13Z https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3390950#M1064325 <P>In the Firepower Device Manager, under Device &gt; System Settings &gt; Management Interface, select "Use Unique Gateways for the Management Interface" and enter the inside gateway address (e.g. 192.168.1.1)</P> <P>&nbsp;</P> <P>Enjoy!</P> <P>&nbsp;</P> <P>Frank</P> Wed, 30 May 2018 04:13:07 GMT https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3390950#M1064325 Crushgeek 2018-05-30T04:13:07Z https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3403191#M1064326 <P>It is fixed in actual FTD build.</P> Thu, 21 Jun 2018 08:54:01 GMT https://community.cisco.com/t5/network-security/ftd-ntp-not-working-on-data-interface/m-p/3403191#M1064326 Leon1 2018-06-21T08:54:01Z