10-01-2013 06:27 PM - edited 03-10-2019 06:03 AM
Hi Experts,
I've been trying to get my IPS Sensor which is running on my ASA 5512X, every time I try to get the Sensor to get time from my NTP server, it fails with an error message "errUnacceptableValue - Cannot connect to NTP server or NTP server is not running"
I'm connecting to my IPS module via the management interface which is 192.168.100.0/24, my inside network where the NTP server is, is on the network address 192.168.1.0/24
The Cisco Router which is serving as a NTP server is an 800 series, below is its configuration...
ntp authentication-key 330 md5 047804081B244F603D29 7
ntp trusted-key 330
ntp source Vlan3
ntp master 5
ntp server 202.22.158.31
I suspect that the sensor just can't reach the router because of my set up, but I though it would be able to communicate because of the backplane network, which as I understand it on the ASA 5512x incorporates all interfaces?... Confused.
Please help!!!!
10-01-2013 06:31 PM
I assume reachability is not a problem. I reckon the problem here is with the MD5 authentication enabled in your router (acting as NTP server). Can try disabling MD5 authentication and see what happens?
no ntp authentication-key 330 md5 047804081B244F603D29 7
no ntp trusted-key 330
HTH
Please rate replies and mark question as "answered" if applicable.
10-01-2013 06:38 PM
Thanks for the quick response.
I suspect it may be a reachability issue as I can't even ping the 192.168.1.0 network when logged onto the IPS sensor. Access control list is set to allow this network.
Thoughts on why I can't even ping the inside network?
10-01-2013 06:57 PM
Ok, then the issue is with your routing.
From you IPS perform a traceroute to NTP server's IP and then check where it stops.
Please rate replies and mark question as "answered" if applicable.
10-01-2013 07:11 PM
The output is of no assistance.
1 * * *
2 * * *
3 * * *
4 * * *
At the moment I have only one virtual sensor set up VS0, this is applied to port channel 0/0
10-01-2013 07:13 PM
Can you make sure your IPS has a default gateway configured.
Please rate replies and mark question as "answered" if applicable.
10-01-2013 07:19 PM
This was where I was a little confused, the IPS network is set up on the Management interface, it has to be on this model, the default gateway on the management interface goes nowhere as it's just a management interface. What do I need to do?
10-01-2013 07:55 PM
Ok, I've had a did into this and for the ASA 5512X, the time is set from the ASA itself. The Clock Set command is unavailable. The issue I have is my ASA clock is Synched with an NTP Server online, the time on my IPS is completely different.
10-01-2013 08:33 PM
Clock set is only applicable for standalone sensor. The ASA 5500-X IPS automatically synchronize their clocks with the clock in the adaptive security appliance in which they are installed. This is the default. Maybe it just takes time for the sensor to sync.
Can you check your ASA for denied NTP logs?
Please rate replies and mark question as "answered" if applicable.
10-02-2013 01:17 PM
Thanks for your assistance with this, is there any way to force the sensor clock to synchronize with the ASA clock? It's been 24hrs and they're still over a minute apart. The gap between the two clocks has not changed. This will be my last question, I will be accepting your last answer as the correct one.
10-03-2013 12:14 AM
Hello Paul,
AIP-SSM can automatically synchronize its clock with the clock in the ASA in which it is installed. This is the default.
Now you are saying is not synchronized or at least not properly
If you do a show clock detail you should see whether NTP is used or not
Now as the followin quote from Cisco says"
All IPS modules (IDSM-2, NM-CIDS, and AIP-SSM) synchronize their system clocks to the parent chassis clock (switch, router, or firewall) each time the module boots up and any time the parent chassis clock is set. The module clock and parent chassis clock tend to drift apart over time. The difference can be as much as several seconds per day. To avoid this problem, make sure that both the module clock and the parent clock are synchronized to an external NTP server. If only the module clock or only the parent chassis clock is synchronized to an NTP server, the time drift occurs. "
You will need to configure NTP for this to work:
Follow this:
The sensor requires a consistent time source. We recommend that you use an NTP server. Use the following procedure to configure the sensor to use the NTP server as its time source.
Caution The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The sensor may work with other NTP servers, but is not tested or supported.
Note You must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. For more information, see Configuring a Cisco Router to be an NTP Server.
To configure the sensor to use an NTP server as its time source, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter configuration mode:
sensor# configure terminal
Step 3 Enter service host mode:
sensor(config)# service host
Step 4 Enter NTP configuration mode:
sensor(config-hos)# ntp-option enable
Step 5 Enter the NTP server IP address and key ID:
sensor(config-hos-ena)# ntp-servers ip_address key-id key_ID
The key ID is a number between 1 and 65535. This is the key ID that you already set up on the NTP server. See Step 3 of Configuring a Cisco Router to be an NTP Server.
Example:
sensor(config-hos-ena)# ntp-servers 10.16.0.0 key-id 100
Step 6 Enter the NTP server's key value:
sensor(config-hos-ena)# ntp-keys key_ID md5-key key_value
The key value is text (numeric or character). This is the key value that you already set up on the NTP server. See Step 3 of Configuring a Cisco Router to be an NTP Server.
Example:
sensor(config-hos-ena)# ntp-keys 100 md5-key attack
Step 7 Verify the NTP settings:
sensor(config-hos-ena)# show settings
enabled
-----------------------------------------------
ntp-keys (min: 1, max: 1, current: 1)
-----------------------------------------------
key-id: 100
-----------------------------------------------
md5-key: attack
-----------------------------------------------
-----------------------------------------------
ntp-servers (min: 1, max: 1, current: 1)
-----------------------------------------------
ip-address: 10.16.0.0
key-id: 100
-----------------------------------------------
-----------------------------------------------
sensor(config-hos-ena)#
Step 8 Exit NTP configuration mode:
sensor(config-hos-ena)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]
Step 9 Press Enter to apply the changes or enter no to discard them.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-03-2013 01:34 PM
Hi Julio,
Thanks for your comments, I tried the NTP server route and had little luck, perhaps you've come across my error... see my original comment. I'm getting the error message....
"errUnacceptableValue - Cannot connect to NTP server or NTP server is not running"
I thought with the ASA 5512X - IPS_SSP the communication with the NTP server which is on my inside network for the ASA would be via the PortChannel 0/0 interface. I can't seem to ping the NTP server from the sensor. I think this is where that comes unstuck.
I've read that with this model of ASA and the IPS software sensor that the time is supposed to be taken from the ASA which is connected to a NTP server.
Cheers,
Paul
10-07-2013 04:23 PM
can you post output from "show module ips detail" ?
10-07-2013 04:27 PM
Hi Arsen,
As requested...
Card Type: ASA 5512-X IPS Security Services Processor
Model: ASA5512-IPS
Hardware version: N/A
Serial Number: FCH1717JBNV
Firmware version: N/A
Software version: 7.2(1)E4
MAC Address Range: 6c41.6a1f.03be to 6c41.6a1f.03be
App. name: IPS
App. Status: Up
App. Status Desc: Normal Operation
App. version: 7.2(1)E4
Data Plane Status: Up
Status: Up
License: IPS Module Enabled perpetual
Mgmt IP addr: 192.168.100.99
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 192.168.100.1
Mgmt Access List: 192.168.1.0/24
Mgmt Access List: 192.168.100.0/24
Mgmt web ports: 443
Mgmt TLS enabled: true
Cheers,
Paul
10-07-2013 04:39 PM
ok thanks
do u have ip address on the management interface ?
if you do where does it connected ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide