Solved: Re: Firepower 2110 (OS 9.10(1)44) - unable to synchronize with NTP ser

swscco001 · ‎10-11-2021

Hello everybody,

our customer has a Firepower 2110 Appliance that is running
ASA OS 9.10(1)44.

Our monitoring throught an alarm because missing NTP synchronisation.

When I go to the chassis manager I entered the folloing commands
to check this:

firepower-2110 /system/services/ntp-server # show config
enter ntp-server de.pool.ntp.org
set ntp-sha1-key-id 0
! set ntp-sha1-key-string
exit


firepower-2110 /system/services # show ntp-authentication

Ntp Auth State: Disabled


firepower-2110 /system/services # show ntp-server

NTP server hostname:
Name Time Sync Status
------------------------------ ----------------
de.pool.ntp.org Unreachable Or Invalid Ntp Server <---

The German NTP server pool de.pool.ntp.org could be pinged from the
ASA OS CLI:

de-nm-fw-ext-02/sec/act# ping de.pool.ntp.org
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.145.135.89, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms

I also configured other NTP servers with the same result but
I used de.pool.ntp.org because it is replying to ping.

What can I do to get the NTP synchronisation to work?

Attached you find the 'sh tech' from the ASA OS and the 'sh configuration'
from the chassis manager.

Every hint is welcome.

Thanks a lot!!!

Bye
R.

Marvin Rhoads · ‎10-11-2021

Ah yes - the chassis manager port needs to be connected and able to reach the configured NTP servers.

View solution in original post

Marvin Rhoads · ‎10-11-2021

Can you confirm that your chassis is able to resolve the configured ntp server using the DNS address?

When running on a Firepower appliance, an ASA logical device requires the parent chassis ntp configuration be working.

swscco001 · ‎10-11-2021

Dear Marvin,

thanks a lot for your fast reaction!

Because I did not find a right command on fxos to test the name resoution

of the NTP server pool de.pool.ntp.org I deleted the NTP-server pool and entered

the IP-addresses of three NTP-Servers:

firepower-2110 /system/services # show ntp-server

NTP server hostname:
    Name                           Time Sync Status
    ------------------------------ ----------------
    192.53.103.103                 Unreachable Or Invalid Ntp Server
    192.53.103.104                 Unreachable Or Invalid Ntp Server
    192.53.103.108                 Unreachable Or Invalid Ntp Server

So a problem with the name resolution is excluded but a NTP synchronisation seems not to work anymore.

Could it be a problem that the Chassis Manager port is not connected in this case so we can only access it by the command 'connect fxos' from the ASA CLI?

Do you have still ideas why the NTP synchronisation is not working?

Thanks a lot!

Bye

R.

Marvin Rhoads · ‎10-11-2021

Ah yes - the chassis manager port needs to be connected and able to reach the configured NTP servers.

swscco001 · ‎10-11-2021

Dear Marvin,

thanks for the useful hint!

I assumed that the FTD is able to reach the NTP-servers in the
Internet via the outside interface ...

I will ask my colleague onsite to connect the Chassis Manager to

the network to be able to reach the NTP-servers thereafter.

Thanks a lot!

Firepower 2110 (OS 9.10(1)44) - unable to synchronize with NTP servers