cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1643
Views
0
Helpful
24
Replies
Highlighted
Beginner

Can't get IPS Sensor to communicate with NTP server

Hi Experts,

I've been trying to get my IPS Sensor which is running on my ASA 5512X, every time I try to get the Sensor to get time from my NTP server, it fails with an error message "errUnacceptableValue - Cannot connect to NTP server or NTP server is not running"

I'm connecting to my IPS module via the management interface which is 192.168.100.0/24, my inside network where the NTP server is, is on the network address 192.168.1.0/24

The Cisco Router which is serving as a NTP server is an 800 series, below is its configuration...

ntp authentication-key 330 md5 047804081B244F603D29 7

ntp trusted-key 330

ntp source Vlan3

ntp master 5

ntp server 202.22.158.31

I suspect that the sensor just can't reach the router because of my set up, but I though it would be able to communicate because of the backplane network, which as I understand it on the ASA 5512x incorporates all interfaces?... Confused.

Please help!!!!

24 REPLIES 24
Highlighted

The ip address on the management interface for the sensor is 192.168.100.99. This network is isolated and is not connected to any other network including the inside network.

Highlighted

you need to make sure that you can ping you DG from IPS module, Does your IPS on the same network as your Inside interface ?

Highlighted

When setting up the sensor, it would not let me use the network which was already set up for the inside network. I had to use the management interface to gain access to sensor, but I can't get the sensor to be on the same network as the inside.

Highlighted

you can go under management interface do no ip address and make sure tha DG for IPS is you SVI ip address for that vlan

not the ip from management interface

Highlighted

Could you please explain that a bit further please?

Highlighted

Sure.

example

ASA

inside 192.168.10.0/24

outside public ip

management 192.168.100.10/24

ips 192.168.100.15/24 (DG will be 192.168.100.1)

Layer 3 Switch

VLan 10 ip 192.168.10.1/24

vlan 100 ip 192.168.100.1/24

from asa u need to add a static rout pointing to the management(even if ips is inside the asa and going thru management interface ur ASA still need to know how to reach it)

ASA(conft) route inside 192.168.100.0 255.255.255.0 via 192.168.10.1

in most of the cases you might dont need assign ip address to the management interface cuz u cam manage it even from inside just dont forget to add http 192.168.10.0 255.255.255.0 inside

Just make sure that ur DG on IPS is not a ip address of management interface n most cases removing ip address form management interface will work just fine)

TEST: login to the IPS and ping 8.8.8.8

Hope this was helpfull. let me know if you need any assistance

Highlighted

Hi Arsen,

Thanks for your input with this. I have to say, this is getting ridiculous, I don't understand why the time between the IPS and ASA just won't sync. For the ASA 5512X there is no hardware module, just software.

I couldn't add the static route, as the route to the management interface is already directly connected.

I tried to change the IPS address to a address on the inside network, it falls over and you have to fix it from the command line.

Currently the IPS and ASA clocks are about 40 seconds apart. Within the ASDM, the option to set the IPS clock is grayed out. The option to apply time to the sensor is also grayed out. Extermely frustrating.

If you view the status of the IPS sensor from the ASDM, its using the ASA clock, not the IPS!!!!!

Why is this so difficult, I think i need to talk to Cisco directly, this just shouldn't be this hard, it's setting a clock!!!

Thanks again for your help.

Paul

Highlighted

u welcome. u cant add route because u have ip assigned to ur management interface

Highlighted

Sorry, I don't understand. If I remove the management IP address, how do I then control the IPS sensor? It didn't seem to let me use the inside network.

Highlighted

Here is the trick. No ip address on management interface but leave the ips ip. U will be reaching the ips thru management port (in this case management port will become only for ips)

If u want to use inside ip on ips then u need to do no ip address an also no nameif  management

If interface marked as a management it will allow only management traffic if u unmark it it will become regular port :)

Content for Community-Ad