10-11-2021 03:00 AM
Hello everybody,
our customer has a Firepower 2110 Appliance that is running
ASA OS 9.10(1)44.
Our monitoring throught an alarm because missing NTP synchronisation.
When I go to the chassis manager I entered the folloing commands
to check this:
firepower-2110 /system/services/ntp-server # show config enter ntp-server de.pool.ntp.org set ntp-sha1-key-id 0 ! set ntp-sha1-key-string exit firepower-2110 /system/services # show ntp-authentication Ntp Auth State: Disabled firepower-2110 /system/services # show ntp-server NTP server hostname: Name Time Sync Status ------------------------------ ---------------- de.pool.ntp.org Unreachable Or Invalid Ntp Server <---
The German NTP server pool de.pool.ntp.org could be pinged from the
ASA OS CLI:
de-nm-fw-ext-02/sec/act# ping de.pool.ntp.org Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.145.135.89, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
I also configured other NTP servers with the same result but
I used de.pool.ntp.org because it is replying to ping.
What can I do to get the NTP synchronisation to work?
Attached you find the 'sh tech' from the ASA OS and the 'sh configuration'
from the chassis manager.
Every hint is welcome.
Thanks a lot!!!
Bye
R.
Solved! Go to Solution.
10-11-2021 05:50 AM
Ah yes - the chassis manager port needs to be connected and able to reach the configured NTP servers.
10-11-2021 03:51 AM
Can you confirm that your chassis is able to resolve the configured ntp server using the DNS address?
When running on a Firepower appliance, an ASA logical device requires the parent chassis ntp configuration be working.
10-11-2021 05:39 AM
Dear Marvin,
thanks a lot for your fast reaction!
Because I did not find a right command on fxos to test the name resoution
of the NTP server pool de.pool.ntp.org I deleted the NTP-server pool and entered
the IP-addresses of three NTP-Servers:
firepower-2110 /system/services # show ntp-server NTP server hostname: Name Time Sync Status ------------------------------ ---------------- 192.53.103.103 Unreachable Or Invalid Ntp Server 192.53.103.104 Unreachable Or Invalid Ntp Server 192.53.103.108 Unreachable Or Invalid Ntp Server
So a problem with the name resolution is excluded but a NTP synchronisation seems not to work anymore.
Could it be a problem that the Chassis Manager port is not connected in this case so we can only access it by the command 'connect fxos' from the ASA CLI?
Do you have still ideas why the NTP synchronisation is not working?
Thanks a lot!
Bye
R.
10-11-2021 05:50 AM
Ah yes - the chassis manager port needs to be connected and able to reach the configured NTP servers.
10-11-2021 07:06 AM
Dear Marvin,
thanks for the useful hint!
I assumed that the FTD is able to reach the NTP-servers in the
Internet via the outside interface ...
I will ask my colleague onsite to connect the Chassis Manager to
the network to be able to reach the NTP-servers thereafter.
Thanks a lot!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide