ASA/FTD blocking itself from connecting to internet for NTP

MauryJ · ‎10-12-2021

Hello All,

I've been troubleshooting an issue with getting Single Signon to work with AnyConnect, using SAML and a hosted id provider. In the end, it appears to have been an issue with time sync. So I wanted to configure both our FMC and FTD to sync time directly an authoritative NTP host on the internet, versus our internal NTP.

This was simple enough for the FMC, however, when configuring our FTD (on ASA) to sync, the status for the external servers stays in 'INIT'. I see in our connection log that FTD is blocking itself from connecting out, and no interface is shown for the ingress interface. So I'm trying to figure out how to allow it to connect out, with a prefilter rule. Would I need to set the source interface to any?

I do have the option to let the FTD sync time with FMC, though, I read a post suggesting that this is not actually recommended.

Thanks

Edit: I forgot to mention our version, 6.7.0.2 on both FTD and FMC

Milos_Jovanovic · ‎10-12-2021

Hi @MauryJ,

You have an option in the Platform Settings policy to configure time synchronization, either with NTP servers or FMC:

I would advise to go for NTP servers, as that it always more resilient. Just pay attention that this synchronization needs to go via management interface, so make sure you create relevant FW rules and NAT/PAT, if you plan to use public NTP servers. As management interface is special interface (in terms that it doesn't process traffic, control plane), most often, it goes back to some management network, which comes to data plane interface via some standard interface (e.g. inside).

BR,

Milos