Solved: ASA cannot update with NTP

Tang-Suan Tan · ‎01-31-2012

Hi Jcarvaja and all :

I have problem that ASA5505 cannot update the time to the NTP which I set to local host connect with the ASA.

Refer to the picture below, the ASA time cannot update to 10:49 from 10:29 accordingly. I already set the NTP address to the local host IP address.

It can be seen at the NTP at the ASDM as well as the command line below :

ntp server 192.168.50.6 source dmz

What is the problem? Can you help? Thanks in advance!

Marvin Rhoads · ‎02-02-2012

You're welcome.

1. If you first enter the new, correct time in the boxes then click on "Update Displayed Time", the ASA clock will be changed. the shortcoming of this is that it will not persist after power cycle and it will drift over time since the internal chip that keeps track of time is not tied to any reference.

2. Most people do not use an NTP daemon running on a workstation. They use either their internal domain controller running a (NTP) time service (which often points to a public NTP server) or point directly to a public NTP server. Please see the lists linked from www.ntp.org for public time servers.

3. #1 above is the GUI equivalent to the command line as follows:

clock set hh:mm:ss {month day | day month} year

Please refer to this section of the Configuration Guide for more details.

View solution in original post

Marvin Rhoads · ‎01-31-2012

When you click the button you indicate, the expected result would be to change the system time to the values you typed in the boxes above it, not to force an NTP synchronization. Please see this guide for reference.

If you have the ntp server command you indicate saved and working, I would expect to see a note to that effect displayed in ASDM just below the Time----------------- line in the ASDM display above. Something like the screenshot below.)

Also, when an NTP server is configured, the time values it sends will override any values input in the manual setting boxes above.

Is 192.168.50.6 running an NTP daemon or service? For it to work, the ASA will need to be able to synchronize using the ntp port (udp port 123) and get a good ntp information exchange. I suspect you are not synchronizing. Please check with the command "show ntp association". You should get results as follows (with IPs changed to your setup):

Result of the command: "sh ntp assoc"

address ref clock st when poll reach delay offset disp

*~198.82.1.201 198.82.247.164 2 876 1024 377 12.0 0.80 22.2

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Note the initial asterisk and tilde indicating that the configured master is synced.

Tang-Suan Tan · ‎02-01-2012

Hi Marvin :

Thanks for your answer!

1. In fact, after click the Updated Displayed Time, there is nothing change at the local system as well as the Cisco ASA.

2. As for the NTP synchronization, I tried to run NTP daemon at the local host but I think the daemon may not run properly. Do you have any recommendation to install NTP daemon in Win 7 (64bits) or Vista (32bits)?

3. If no daemon running at local host which I want the ASA connected, is it any way that to synchronize the ASA time by ASA command line with the local system time of local host?

Thanks and best regards,

tangsuan

Marvin Rhoads · ‎02-02-2012

You're welcome.

1. If you first enter the new, correct time in the boxes then click on "Update Displayed Time", the ASA clock will be changed. the shortcoming of this is that it will not persist after power cycle and it will drift over time since the internal chip that keeps track of time is not tied to any reference.

2. Most people do not use an NTP daemon running on a workstation. They use either their internal domain controller running a (NTP) time service (which often points to a public NTP server) or point directly to a public NTP server. Please see the lists linked from www.ntp.org for public time servers.

3. #1 above is the GUI equivalent to the command line as follows:

clock set hh:mm:ss {month day | day month} year

Please refer to this section of the Configuration Guide for more details.

Tang-Suan Tan · ‎02-02-2012

Hi Marvin :

Thanks for your reply!

I managed to get an external NTP server and set the NTP server address at the ASA accordingly.

The ASA can synchronize perfectly with the NTP server without any problem.

See the below command line result :

ciscoasa(config)# sh ntp assoc

address ref clock st when poll reach delay offset disp

*~192.168.20.5 .PPS. 1 54 64 1 0.3 16.57 15890.

~192.168.50.6 .PPS. 1 1088 64 0 0.3 23.71 16000.

~192.168.50.5 0.0.0.0 16 - 64 0 0.0 0.00 16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

The 192.168.20.5 is the preferred NTP server and it is synchronized well with the PC.

After that, when I click update the display time, the time in the cell updated accordingly with the NTP server too.

Thanks for your explanation and help on this.

I came accross other networking devices or other firewall beside Cisco, they can synchronize with host system and no need the NTP server. Cisco may apply more stringent requirement that it can only synchronize with NTP server or device with NTP daemon.

This question is closed since I already have answer from you. Thanks!

Regards,

tangsuan