I've been trying to get my IPS Sensor which is running on my ASA 5512X, every time I try to get the Sensor to get time from my NTP server, it fails with an error message "errUnacceptableValue - Cannot connect to NTP server or NTP server is not running"
I'm connecting to my IPS module via the management interface which is 192.168.100.0/24, my inside network where the NTP server is, is on the network address 192.168.1.0/24
The Cisco Router which is serving as a NTP server is an 800 series, below is its configuration...
ntp authentication-key 330 md5 047804081B244F603D29 7
ntp trusted-key 330
ntp source Vlan3
ntp master 5
ntp server 184.108.40.206
I suspect that the sensor just can't reach the router because of my set up, but I though it would be able to communicate because of the backplane network, which as I understand it on the ASA 5512x incorporates all interfaces?... Confused.
The ip address on the management interface for the sensor is 192.168.100.99. This network is isolated and is not connected to any other network including the inside network.
When setting up the sensor, it would not let me use the network which was already set up for the inside network. I had to use the management interface to gain access to sensor, but I can't get the sensor to be on the same network as the inside.
you can go under management interface do no ip address and make sure tha DG for IPS is you SVI ip address for that vlan
not the ip from management interface
outside public ip
ips 192.168.100.15/24 (DG will be 192.168.100.1)
Layer 3 Switch
VLan 10 ip 192.168.10.1/24
vlan 100 ip 192.168.100.1/24
from asa u need to add a static rout pointing to the management(even if ips is inside the asa and going thru management interface ur ASA still need to know how to reach it)
ASA(conft) route inside 192.168.100.0 255.255.255.0 via 192.168.10.1
in most of the cases you might dont need assign ip address to the management interface cuz u cam manage it even from inside just dont forget to add http 192.168.10.0 255.255.255.0 inside
Just make sure that ur DG on IPS is not a ip address of management interface n most cases removing ip address form management interface will work just fine)
TEST: login to the IPS and ping 220.127.116.11
Hope this was helpfull. let me know if you need any assistance
Thanks for your input with this. I have to say, this is getting ridiculous, I don't understand why the time between the IPS and ASA just won't sync. For the ASA 5512X there is no hardware module, just software.
I couldn't add the static route, as the route to the management interface is already directly connected.
I tried to change the IPS address to a address on the inside network, it falls over and you have to fix it from the command line.
Currently the IPS and ASA clocks are about 40 seconds apart. Within the ASDM, the option to set the IPS clock is grayed out. The option to apply time to the sensor is also grayed out. Extermely frustrating.
If you view the status of the IPS sensor from the ASDM, its using the ASA clock, not the IPS!!!!!
Why is this so difficult, I think i need to talk to Cisco directly, this just shouldn't be this hard, it's setting a clock!!!
Thanks again for your help.
Sorry, I don't understand. If I remove the management IP address, how do I then control the IPS sensor? It didn't seem to let me use the inside network.
Here is the trick. No ip address on management interface but leave the ips ip. U will be reaching the ips thru management port (in this case management port will become only for ips)
If u want to use inside ip on ips then u need to do no ip address an also no nameif management
If interface marked as a management it will allow only management traffic if u unmark it it will become regular port :)