Firepower2110 (ASA-Image): NTP does not work anymore

swscco001 · ‎10-27-2023

Hello everybody,

our customer has a Firepower2110 running a ASA-Image rel. 9.12(4)37.

From our monitoring we got the error message: time difference: -272 seconds

On the ASA-OS I checked the time:

de-nm-fw-ext-02/sec/act# show clock det
07:50:39.669 CEST Fri Oct 27 2023                   	                   (correct time 07:54)
Time source is FXOS
UTC time is: 05:50:39 UTC Fri Oct 27 2023
Summer time starts 02:00:00 CET Sun Mar 26 2023
Summer time ends 03:00:00 CEST Sun Oct 29 2023

The NTP configuration on FXOS is:

NTP-Konfiguration:
--------------------------
...
	 disable ntp-authentication
...
         enter ntp-server 192.53.103.103

             set ntp-sha1-key-id 0

 !           set ntp-sha1-key-string

         exit

         enter ntp-server 192.53.103.104

             set ntp-sha1-key-id 0

 !           set ntp-sha1-key-string

         exit

         enter ntp-server 192.53.103.108

             set ntp-sha1-key-id 0

 !           set ntp-sha1-key-string
...

I got the following relevant outputs from the FXOS:

firepower-2110# show clock det				
Fri Oct 27 07:53:21 CEST 2023				                                   (cottect time 07:57)

firepower-2110# show ntp-overall-status

    NTP Overall Time-Sync Status: Ntp Config Failed

firepower-2110# show fault
Severity  Code     Last Transition Time     ID       Description
--------- -------- ------------------------ -------- -----------
Minor     F1150    2022-11-09T15:34:11.599  28900427 ether port 0/1 on fabric interconnect A oper state: link-down, reason:
Major     F1329    2021-10-11T14:17:34.422     27532 Ntp Configuration failed, please check the error message in Ntp host
Major     F0853    2021-04-16T08:13:05.678  10542906 default Keyring's certificate is invalid, reason: expired.



firepower-2110 /system/services # show ntp-server detail

NTP server hostname:
    Name: 192.53.103.103
    Time Sync Status: Unreachable Or Invalid Ntp Server
    Error Msg: The host is temporarily unreachable or may not be a NTP host. You may give more time to it or configure another one.

    Name: 192.53.103.104
    Time Sync Status: Unreachable Or Invalid Ntp Server
    Error Msg: The host is temporarily unreachable or may not be a NTP host. You may give more time to it or configure another one.

    Name: 192.53.103.108
    Time Sync Status: Unreachable Or Invalid Ntp Server
    Error Msg: The host is temporarily unreachable or may not be a NTP host. You may give more time to it or configure another one.

Another ASA at this customer has also the NTP-Servers 192.53.103.103 & 192.53.103.108 configured
and all seem to work fine:

Result of the command: "sh ntp status"

Clock is synchronized, stratum 2, reference is 192.53.103.108
nominal freq is 99.9984 Hz, actual freq is 99.9993 Hz, precision is 2**6
reference time is e8e5d5bd.464450cf (08:22:53.274 CEDT Fri Oct 27 2023)
clock offset is 0.9460 msec, root delay is 21.87 msec
root dispersion is 17.17 msec, peer dispersion is 15.98 msec


Result of the command: "sh clock"

08:28:44.387 CEDT Fri Oct 27 2023

Both devices have direct access to the Internet.

I have tried to restart the NTP on the FXOS on the Firepower2110 but did not
find how this can be done.

What would you do to get the NTP working again (except a reboot of the
Firepower2110 because 800 AnyConnet users are connected)?

I have attached the FXOX configuration and the ASA-mode 'show tech'.

Thanks a lot for every hint.

Bye
R.