Showing results for 
Search instead for 
Did you mean: 


Can't get IPS Sensor to communicate with NTP server

Hi Experts,

I've been trying to get my IPS Sensor which is running on my ASA 5512X, every time I try to get the Sensor to get time from my NTP server, it fails with an error message "errUnacceptableValue - Cannot connect to NTP server or NTP server is not running"

I'm connecting to my IPS module via the management interface which is, my inside network where the NTP server is, is on the network address

The Cisco Router which is serving as a NTP server is an 800 series, below is its configuration...

ntp authentication-key 330 md5 047804081B244F603D29 7

ntp trusted-key 330

ntp source Vlan3

ntp master 5

ntp server

I suspect that the sensor just can't reach the router because of my set up, but I though it would be able to communicate because of the backplane network, which as I understand it on the ASA 5512x incorporates all interfaces?... Confused.

Please help!!!!


The ip address on the management interface for the sensor is This network is isolated and is not connected to any other network including the inside network.


you need to make sure that you can ping you DG from IPS module, Does your IPS on the same network as your Inside interface ?


When setting up the sensor, it would not let me use the network which was already set up for the inside network. I had to use the management interface to gain access to sensor, but I can't get the sensor to be on the same network as the inside.


you can go under management interface do no ip address and make sure tha DG for IPS is you SVI ip address for that vlan

not the ip from management interface


Could you please explain that a bit further please?






outside public ip


ips (DG will be

Layer 3 Switch

VLan 10 ip

vlan 100 ip

from asa u need to add a static rout pointing to the management(even if ips is inside the asa and going thru management interface ur ASA still need to know how to reach it)

ASA(conft) route inside via

in most of the cases you might dont need assign ip address to the management interface cuz u cam manage it even from inside just dont forget to add http inside

Just make sure that ur DG on IPS is not a ip address of management interface n most cases removing ip address form management interface will work just fine)

TEST: login to the IPS and ping

Hope this was helpfull. let me know if you need any assistance


Hi Arsen,

Thanks for your input with this. I have to say, this is getting ridiculous, I don't understand why the time between the IPS and ASA just won't sync. For the ASA 5512X there is no hardware module, just software.

I couldn't add the static route, as the route to the management interface is already directly connected.

I tried to change the IPS address to a address on the inside network, it falls over and you have to fix it from the command line.

Currently the IPS and ASA clocks are about 40 seconds apart. Within the ASDM, the option to set the IPS clock is grayed out. The option to apply time to the sensor is also grayed out. Extermely frustrating.

If you view the status of the IPS sensor from the ASDM, its using the ASA clock, not the IPS!!!!!

Why is this so difficult, I think i need to talk to Cisco directly, this just shouldn't be this hard, it's setting a clock!!!

Thanks again for your help.



u welcome. u cant add route because u have ip assigned to ur management interface


Sorry, I don't understand. If I remove the management IP address, how do I then control the IPS sensor? It didn't seem to let me use the inside network.


Here is the trick. No ip address on management interface but leave the ips ip. U will be reaching the ips thru management port (in this case management port will become only for ips)

If u want to use inside ip on ips then u need to do no ip address an also no nameif  management

If interface marked as a management it will allow only management traffic if u unmark it it will become regular port :)

Content for Community-Ad