cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
602
Views
4
Helpful
8
Replies
Highlighted
Beginner

Recommendations for Time Settings?

Hi All,

I've got to generate a CSR for an SSL certificate and one of the first steps is to make sure the time is set properly on the device generating the CSR!  The time on our current ASA is skewed.. this caused me to look at several other devices we own globaly and ALL of them are on different times.

What is the best practice way to set time in a global environment (that uses technologies like IPSEC site-to-site VPN and SSLVPN)?

When making changes to a global environment, what things need to be checked / considered when making changes to time on several devices?

I would've just changed the time on the ASA to the right time manually but the fact that the SSL certs based some sort of check off of time made me take a step back.  Thanks in advance for any reassurance or suggestions on how to address the configuration of time in our environment as a whole.

Kindest Regards,

Alan Leffingwell

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Alan

Especially in your type of distributed environment I would suggest that the Best Practice is to run NTP. There are NTP servers available on the public Internet that will allow you to learn consistent time at each of your sites.

HTH

Rick

HTH

Rick

View solution in original post

8 REPLIES 8
Highlighted
Hall of Fame Guru

Alan

Especially in your type of distributed environment I would suggest that the Best Practice is to run NTP. There are NTP servers available on the public Internet that will allow you to learn consistent time at each of your sites.

HTH

Rick

HTH

Rick

View solution in original post

Highlighted

Richard,

Thanks for the responses, sorry for the delay in awarding a correct answer!

Highlighted

Alan

I am glad that you found our suggestions to be helpful. Thank you for using the rating system to mark the question as answered. It makes the forum more useful when participants can read a question and can know that helpful answers were received. Your marking has contributed to this process.

HTH

Rick

HTH

Rick
Highlighted
Hall of Fame Guru

I second Rick's suggestion and call for a vote.

NTP is the way to go.

I've heard varying opinions on whether to use the local timezone or UTC (GMT) but most things you care about include the UTC offset with their timestamps so, for me, using local time makes the cli output more usable from a human perspective.

Highlighted

Hi Guys,

Thanks for the responses, NTP definitely - for using local time Marvin, do you find it difficult to sequence things together in say a syslog server that way?  It seems like every one of our sites is in a different timezone !

Kindest Regards,

ALAN

Highlighted

Alan

If your organization has multiple devices in multiple time zones then a choice needs to be made about whether to use local time at each site, or to have a common time zone for all sites. There is not a clear answer to this question and it will depend on some aspects of your organization.

If each site actively manages their own devices and there is minimal management from a central site, then the choice pretty clearly would be to use local time. If most of the management is done from a central site and there is minimal management at the local site, then the choice pretty clearly is for a common time zone. If management is shared between local administrators and the central site then the choice is not clear, but I would probably suggest a common time zone.

HTH

Rick

HTH

Rick
Highlighted

Hey Guys,

Thanks so much for the feedback, I feel confident about how to re-organize the times on all of our devices.

The last part of my question was:

What things do you need to consider/check for that are affected by time??  In my first example - we've got SSLVPN certs and I know time is a factor with them.. Want to make sure I've covered all of my bases before I go in and change the time across the board!

Thanks in advance for all of your experience and insight, it's greatly appreciated!

Kindest Regards,

ALAN

Highlighted
Hall of Fame Community Legend

NTP definitely

Just be aware that there are two "kinds" of NTP solutions.  One is called a baby- or lite-NTP.  It's called this because, by itself, the appliance needs to go out to the internet to get NTP synchronization.

Another one, more expenseive, is a "stand-alone" NTP server.  The only thing this appliance needs is a place to stick the GPS antenna.  This solution is probably the best solution. 

Content for Community-Ad