cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
1528
Views
0
Helpful
24
Replies
Beginner

Can't get IPS Sensor to communicate with NTP server

The ip address on the management interface for the sensor is 192.168.100.99. This network is isolated and is not connected to any other network including the inside network.

Can't get IPS Sensor to communicate with NTP server

you need to make sure that you can ping you DG from IPS module, Does your IPS on the same network as your Inside interface ?

Beginner

Can't get IPS Sensor to communicate with NTP server

When setting up the sensor, it would not let me use the network which was already set up for the inside network. I had to use the management interface to gain access to sensor, but I can't get the sensor to be on the same network as the inside.

Can't get IPS Sensor to communicate with NTP server

you can go under management interface do no ip address and make sure tha DG for IPS is you SVI ip address for that vlan

not the ip from management interface

Beginner

Can't get IPS Sensor to communicate with NTP server

Could you please explain that a bit further please?

Re: Can't get IPS Sensor to communicate with NTP server

Sure.

example

ASA

inside 192.168.10.0/24

outside public ip

management 192.168.100.10/24

ips 192.168.100.15/24 (DG will be 192.168.100.1)

Layer 3 Switch

VLan 10 ip 192.168.10.1/24

vlan 100 ip 192.168.100.1/24

from asa u need to add a static rout pointing to the management(even if ips is inside the asa and going thru management interface ur ASA still need to know how to reach it)

ASA(conft) route inside 192.168.100.0 255.255.255.0 via 192.168.10.1

in most of the cases you might dont need assign ip address to the management interface cuz u cam manage it even from inside just dont forget to add http 192.168.10.0 255.255.255.0 inside

Just make sure that ur DG on IPS is not a ip address of management interface n most cases removing ip address form management interface will work just fine)

TEST: login to the IPS and ping 8.8.8.8

Hope this was helpfull. let me know if you need any assistance

Beginner

Can't get IPS Sensor to communicate with NTP server

Hi Arsen,

Thanks for your input with this. I have to say, this is getting ridiculous, I don't understand why the time between the IPS and ASA just won't sync. For the ASA 5512X there is no hardware module, just software.

I couldn't add the static route, as the route to the management interface is already directly connected.

I tried to change the IPS address to a address on the inside network, it falls over and you have to fix it from the command line.

Currently the IPS and ASA clocks are about 40 seconds apart. Within the ASDM, the option to set the IPS clock is grayed out. The option to apply time to the sensor is also grayed out. Extermely frustrating.

If you view the status of the IPS sensor from the ASDM, its using the ASA clock, not the IPS!!!!!

Why is this so difficult, I think i need to talk to Cisco directly, this just shouldn't be this hard, it's setting a clock!!!

Thanks again for your help.

Paul

Re: Can't get IPS Sensor to communicate with NTP server

u welcome. u cant add route because u have ip assigned to ur management interface

Beginner

Re: Can't get IPS Sensor to communicate with NTP server

Sorry, I don't understand. If I remove the management IP address, how do I then control the IPS sensor? It didn't seem to let me use the inside network.

Highlighted

Re: Can't get IPS Sensor to communicate with NTP server

Here is the trick. No ip address on management interface but leave the ips ip. U will be reaching the ips thru management port (in this case management port will become only for ips)

If u want to use inside ip on ips then u need to do no ip address an also no nameif  management

If interface marked as a management it will allow only management traffic if u unmark it it will become regular port :)

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here