topic Re: NTP Request Reply takes two minutes in Network Security

NTP Request Reply takes two minutes

YaqoobKhalid4217 — Tue, 18 Jul 2023 16:53:57 GMT

Appliance Model : Cisco ASA 5508-X
Firepower Status : Not used
ASA Version : 9.16.4

I am having trouble using NTP to synchronize time on port 123. I have set up a custom NTP server that listens to port 122, and I have verified that the synchronization works fine using the nettime client on a Windows machine. However, when I try to sync time on port 123, I encounter issues.

I checked the debug monitor on ASDM and noticed that the request is being made to the specific NTP server, but the reply takes approximately two minutes to show up on the monitor.

To clarify, I am trying to sync time using NTP, but I am only experiencing issues with port 123. I have set up a custom NTP server that works fine on port 122, but the problem arises when I use port 123. I have checked the debug monitor on the ASDM, and I can see that the request is being sent to the NTP server, but the response takes a long time to show up.

To fix this issue, I have checked the network and firewall settings to ensure that they are not causing any delays or blocking NTP traffic on port 123. I have also verified that the NTP server is correctly configured and responding to requests in a timely manner. Additionally, I have tried using a different NTP server and client to see if the issue persists.

time between request and reply to show up

Re: NTP Request Reply takes two minutes

Flavio Miranda — Tue, 18 Jul 2023 18:39:35 GMT

Hi @YaqoobKhalid4217

The Tear Down on the log must refers to the UPD session and not related to the NTP. But, sounds to me that the firewall is actually handling the NTP differently when you use the standard port and it is ignoring when doing not standard port.

I would recommend you to add inspection on the NTP service.

Re: NTP Request Reply takes two minutes

MHM Cisco World — Tue, 18 Jul 2023 18:41:45 GMT

your log is show port 123 not 122
can I see NTP config ?

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Tue, 18 Jul 2023 19:33:21 GMT

yes this is when i try using the ntp on the default port the 123 port and this when the problem occur
do you need to see the log when i use ntp on the 122 port ? the custom port ?
do you need the config for the windows ntp client ?

Re: NTP Request Reply takes two minutes

MHM Cisco World — Tue, 18 Jul 2023 19:35:11 GMT

Please asa and ntp server config

Thanks

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Tue, 18 Jul 2023 20:33:03 GMT

firewall config for the custom NTP to get the requestsdmz interface on the ASA Configntp windows Client with the custom ntp

Re: NTP Request Reply takes two minutes

MHM Cisco World — Tue, 18 Jul 2023 20:38:09 GMT

But you NATing the port from 122 to 123.

You must forward same port.

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Tue, 18 Jul 2023 20:38:21 GMT

could you explain more ? UPD Session
where to add the inspection

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Tue, 18 Jul 2023 20:40:07 GMT

this config on the custom ntp side not on the asa, i did that so i can skip the port 123 issue because on my side where is the asa located

Re: NTP Request Reply takes two minutes

MHM Cisco World — Tue, 18 Jul 2023 20:48:49 GMT

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Tue, 18 Jul 2023 20:54:52 GMT

this is a temp solution to get time sync for the dmz network, so i didn't bothered to config the windows ntp server to allow incoming traffic thought port 123 so i just did the translation on the firewall.

the issue on the ASA the asa handle the ntp traffic with no issues as long as it's not on port 123

Re: NTP Request Reply takes two minutes

MHM Cisco World — Tue, 18 Jul 2023 21:08:00 GMT

packet-tracer input DMZ udp (any ip of dmz sunbet except dmz interface IP) 1234 (ntp server) 123

Share output of above

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Tue, 18 Jul 2023 21:20:46 GMT

this topology explain what i used to bypass the issue on the asa

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Tue, 18 Jul 2023 21:24:24 GMT

but i still have the problem when i ever use ntp on the default port, and as i said the only thing that i noticed is that the request replay takes 2 minutes to show up on the debug monitor

i tried to use multiple public ntp servers but in every time the same issue occurs
time.google.com

time.windows.com

etc

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Tue, 18 Jul 2023 21:32:19 GMT

is this what you need ?

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Wed, 19 Jul 2023 11:35:51 GMT

any one knows how to fix the issue ?

Re: NTP Request Reply takes two minutes

Flavio Miranda — Wed, 19 Jul 2023 02:47:43 GMT

tear down happens since its reached the global timeout value for an UDP connection which is 2 minutes

Check it with show run timout

I suggested the inspection as a mean to allow the NTP connection but it seems the ntp is not available for inspection.

Re: NTP Request Reply takes two minutes

MHM Cisco World — Wed, 19 Jul 2023 09:53:39 GMT

Re: NTP Request Reply takes two minutes

YaqoobKhalid4217 — Wed, 19 Jul 2023 11:59:23 GMT

below i explained what you asked for .
to clarify things more the diagram that i draw is only to show the bypass solution (the temp solution) to get thing running while i try to solve the main issue with the port 123 and the weird behavior of ASA with this specific port

so any thought why ASA takes 2 minutes to show the reply request ? for the NTP Traffic on port 123 ?

Re: NTP Request Reply takes two minutes

MHM Cisco World — Wed, 19 Jul 2023 12:08:28 GMT

does ASA also use same NTP server ?