topic Re: FTD NTP error after upgrading to 6.2.3.7 in Network Security

FTD NTP error after upgrading to 6.2.3.7

niko — Fri, 21 Feb 2020 16:32:37 GMT

After doing upgrade from 6.2.3.5 to 6.2.3.7 for 2100 series FTP box failover pair new FXOS alarm showed up:

Severity: Major
Code: F1329
Last Transition Time: 2018-12-06T17:20:52.586
ID: 555499
Status: None
Description: Ntp Configuration failed, please check the error message in Ntp host
Affected Object: sys/svc-ext/datetime-svc
Name: Comm Date Time Comm Ntp Configuration Failed
Cause: Ntp Config Failed
Type: Configuration
Acknowledged: No
Occurrences: 3
Creation Time: 2018-12-06T16:43:12.893
Original Severity: Major
Previous Severity: Cleared
Highest Severity: Major

At the same time NTP configuration is indeed failing:

FTD# show ntp-overall-status

NTP Overall Time-Sync Status: Ntp Config Failed

NTP config is pushed via FMC Platform settings configuration and NTP time is taken from FMC (which synced with NTP further). Tried using external NTP server for Platform settings - same result.

Given this showed up for both HA boxes and it wasn't there - I guess it's a new "feature" in 6.2.3.7. Have anyone seen this?

Re: FTD NTP error after upgrading to 6.2.3.7

Abheesh Kumar — Fri, 07 Dec 2018 07:28:01 GMT

Hi,
Is your FMC is properly synced with NTP server, then it will take some time to get synced to the sensors.

HTH
Abheesh

Re: FTD NTP error after upgrading to 6.2.3.7

niko — Fri, 07 Dec 2018 08:02:43 GMT

Given it has been 12+ hours since the update - time should have passed enough.

FMC is synced with NTP. I tried switching sync from FMC to NTP server via Platform setting configuration for FTD - made no difference, error re-appeared.

Re: FTD NTP error after upgrading to 6.2.3.7

Abheesh Kumar — Fri, 07 Dec 2018 08:10:45 GMT

Is your FMC and FTD in same IP range..??? or if its in different range is there any firewall between that subnet. Check if UDP port 123 is blocking in between the path.

HTH

Abheesh

Re: FTD NTP error after upgrading to 6.2.3.7

niko — Fri, 07 Dec 2018 08:11:02 GMT

Yes.

As mentioned - it was working fine all the way till 6.2.3.5 -> 6.2.3.7 upgrade.

Re: FTD NTP error after upgrading to 6.2.3.7

Abheesh Kumar — Fri, 07 Dec 2018 08:17:31 GMT

I think you may be hitting the below bug

CSCva50451

Workaround

In Platform Settings configure set my clock for "Via NTP from" and set the IP Address of 127.0.0.2 which will force the NTP service to sync to the FMC over SFTunnel

HTH

Abheesh

Re: FTD NTP error after upgrading to 6.2.3.7

niko — Fri, 07 Dec 2018 08:44:05 GMT

Thanks, tried using 127.0.0.2, but still failed. This bug could be related to classic Firepower, as in case of FTD Platform Settings are for FXOS and not sure if it can use SFtunnel to sync time from FXOS.

Anyway, in the end added different NTP server instead of FMC and it synced successfully, It could be that NTP I used yesterday wasn't reachable or still some shady behavior. So right now this is good enough - time is in sync, using FMC is not mandatory in my case.

Re: FTD NTP error after upgrading to 6.2.3.7

Marvin Rhoads — Fri, 07 Dec 2018 08:47:45 GMT

Is your FMC a VM or physical appliance. FMC on VM is not recommended as an NTP server.

Re: FTD NTP error after upgrading to 6.2.3.7

niko — Fri, 07 Dec 2018 08:50:10 GMT

It is VM indeed. Good to know, missed that recommendation indeed, thanks for noting!

Re: FTD NTP error after upgrading to 6.2.3.7

ericbuss1 — Fri, 11 Jan 2019 14:38:35 GMT

I'm having this same issue as well. Although for me,changing the NTP server to something other than the FMC did not yield any results.

2130s
HA Pair (only the secondary is affected)
6.2.3.7
was working prior
tried the workaround of pointing sensor to 127.0.0.2
tried the workaround of pointing FMC and sensor to internal time server