topic FTDv managed by FMC ntp issue in Network Security

FTDv managed by FMC ntp issue

mhdganji110 — Thu, 30 Jun 2022 17:07:24 GMT

Hi,

I'm using FTDv 7 managed by FMC v7. Logging issues are there and there is an error about FTD not synced.

So, first step seems to solve the ntp issues.

FMC GUI is there for ntp which I set and it seems to be ok, but I cannot find where is the ntp settings for FTD device (I go to FMC, devices, choose the FTD device, ... nothing there)

Also when I SSH to FTD and run ntpd -u ntpserver, it says operation not permitted. I set the time exactly as the same with FMC (with date -s command and copy the same output of date command on SSH session of FMC) but the problem is still there)

Any idea?

Regards

Re: FTDv managed by FMC ntp issue

balaji.bandi — Thu, 30 Jun 2022 17:14:55 GMT

check below document help you :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215468-configure-verify-and-troubleshoot-netwo.html

Re: FTDv managed by FMC ntp issue

mhdganji110 — Thu, 30 Jun 2022 17:33:52 GMT

Already checked it. It is not helping about Virtual FTD managed by FMC (virtual). It's all about physical ones, FXOS, etc.

Re: FTDv managed by FMC ntp issue

mhdganji110 — Thu, 30 Jun 2022 18:16:09 GMT

Let me add that under device, platform setting, I created a FTD policy, added my FTD, set the same NTP server as FMC under the settings and saved and applied the policy to the device. But, the error is still there.

While the date output is exactly the same on FTD and FMC, it syas there is a 54000 seconds offset between the FTD device and its manager

Re: FTDv managed by FMC ntp issue

Aref Alsouqi — Fri, 01 Jul 2022 08:52:27 GMT

I recently saw similar behaviour on a customer deployment and had to change the NTP for the FTD devices to be something different than the FMC. Nothing wrong with pointing the FTD to your domain controllers for example if they have the NTP services enabled, or, pointing even to an external trusted NTP server as long as both the FTDs and the FMC do not have any time skew.

Re: FTDv managed by FMC ntp issue

Marvin Rhoads — Fri, 01 Jul 2022 14:09:15 GMT

It's not recommended to use FMC as the NTP server for managed devices. Use a reliable time server instead.

I use time.nist.gov for US-based customers (along with a valid DNS setup and making sure outbound ntp traffic is allowed through the firewall).

Re: FTDv managed by FMC ntp issue

mhdganji110 — Fri, 01 Jul 2022 18:40:34 GMT

I didn't do that. Both were aimed to use an internal ntp server in the network

Re: FTDv managed by FMC ntp issue

mhdganji110 — Fri, 01 Jul 2022 18:43:27 GMT

I managed to solve the problem in this way

Went to FMC and my created FTD policy and chose a timezone (it was blank). Applied it to my FTD and all is ok now.

Re: FTDv managed by FMC ntp issue

CiscoBrownBelt — Thu, 25 Apr 2024 12:08:38 GMT

I noticed 127.0.0.2 is shown to be used on our FTD that is managed via FMC. How can I fix this - the FMC is using and configured for a nist NTP server? Not too familiar with FIrepower in comparison to ASA.

Re: FTDv managed by FMC ntp issue

MHM Cisco World — Thu, 25 Apr 2024 12:11:25 GMT

Make new post it better

MHM

Re: FTDv managed by FMC ntp issue

Marvin Rhoads — Thu, 25 Apr 2024 12:16:46 GMT

@CiscoBrownBelt for an FMC-managed FTD appliance, use the platform settings. Devices > Platforms Settings and then edit the settings under the Time Synchronization section to set the clock via NTP from a valid reachable time server. Deploy the change and watch for it to update on FTD - it will take a few minutes to sync and decide to take the NTP server's assertion as valid.

Re: FTDv managed by FMC ntp issue

CiscoBrownBelt — Fri, 26 Apr 2024 12:49:28 GMT

Hi Marvin. It is already set for via NTP from Mgmt Center. There is not reachability issues or anything so not sure why it is not listed as the server in "show ntp"?

Re: FTDv managed by FMC ntp issue

Marvin Rhoads — Fri, 26 Apr 2024 16:12:02 GMT

@CiscoBrownBelt if your FMC is an FMCv, they don't reliably serve up NTP. That's why we configure the managed devices to go directly to an NTP server.

Re: FTDv managed by FMC ntp issue

CiscoBrownBelt — Fri, 26 Apr 2024 16:30:35 GMT

No it is a physical FMC. I know its better to peer directly to a NTP server but for now using this.

Re: FTDv managed by FMC ntp issue

CiscoBrownBelt — Thu, 02 May 2024 14:48:08 GMT

Hi Marvin, although it states:

NTP Server : 127.0.0.2
Status : Being Used
Offset : -0.582 (milliseconds)
Last Update : 13 (seconds)

The time is still correct:

> show time
UTC - Thu May 2 14:43:14 UTC 2024
Localtime - Thu May 02 10:43:15 EDT 2024

Shouldn't it not have accurate time?

Re: FTDv managed by FMC ntp issue

Marvin Rhoads — Thu, 02 May 2024 16:16:54 GMT

Time can be accurate without NTP. We use NTP to make it consistently accurate across many devices to ensure that time-dependent services, logs etc. are all in good working order and presenting accurate timestamps.

Re: FTDv managed by FMC ntp issue

CiscoBrownBelt — Fri, 03 May 2024 15:26:41 GMT

Right but thing is the FTD has been offline recently and clock was never manually hard coded or anything. Where would it get its accurate time from?

Re: FTDv managed by FMC ntp issue

Marvin Rhoads — Fri, 03 May 2024 16:17:08 GMT

A firewall, just like most PCs, has a system clock with an internal battery-power source. It keeps track of time even when the device is powered off. In the absence of an external time source like ntp, that clock can still provide (usually) accurate time.