FPR1120 FDM will not connect to NTP

Baryon324 · ‎09-24-2020

I'm running 6.6.0-90 on a FPR1120 in FDM mode. Whether or not I use the default NTP servers or enter my own, the unit will not sync up. When I run 'show ntp' the status of each server (including 127.127.1.1) shows unknown. From the CLI console, I also cannot ping the resolved addresses.

Marvin Rhoads · ‎09-25-2020

How did you configure the NTP servers? Does your management interface have a route and unblocked path (no proxy or acl) to the internet?

Baryon324 · ‎09-25-2020

I chose user-defined servers since the default wasn't working: 0.sourcefire.pool.ntp.org, time.nist.gov, time.google.com. The management interface is set to use data interfaces as the gateway. I am remotely servicing this client through SSH.

This firewall is being set up with dual ISP failover, but still at the beginning. ISP1 is the outside interface (logical:outside), which was the original broadband primary. ISP2 is the current primary interface (logical:level3) on fiber. There is only a single outbound route to the ISP2 gateway. A single NAT rule from inside to ISP2, and two ACL policies from inside to both ISP1 and ISP2. Management Access>Data Interfaces has the default inside and outside, and the additional level3 interface (HTTPS,SSH,anyipv4).

Today, I am able to ping NTP servers, but still not syncing.

>show ntp
NTP Server : 44.190.6.254
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : - (seconds)

NTP Server : 216.239.35.12 (time4.google.com)
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : - (seconds)

NTP Server : 127.127.1.1
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : 7 (seconds)

NTP Server : 128.138.140.44 (india.colorado.edu)
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : - (seconds)

> ping 44.190.6.254
Sending 5, 100-byte ICMP Echos to 44.190.6.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/58/60 ms

> ping 216.239.35.12
Sending 5, 100-byte ICMP Echos to 216.239.35.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

> ping 128.138.140.44
Sending 5, 100-byte ICMP Echos to 128.138.140.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms

Marvin Rhoads · ‎09-25-2020

When you ping as you showed in your post, FTD uses the dataplane interface that the global routing table tells us is the best one for the destination address.

To test connectivity from the management interface, use "ping system <target address>" instead.

Baryon324 · ‎09-28-2020

I tried your command and it timed out.

> ping 216.218.254.202
Sending 5, 100-byte ICMP Echos to 216.218.254.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/58/60 ms

>ping system 216.218.254.202
Command execution timed out. Please try again.

Baryon324 · ‎10-16-2020

What does this tell me?

johnlloyd_13 · ‎10-17-2020

hi,

is your DNS server correctly resolving? try to ping a FQDN instead of an IP: > ping www.google.com

check in FDM if it's properly configured: device > system settings > DNS server.

Baryon324 · ‎10-18-2020

I was able to ping a FQDN.

Aref Alsouqi · ‎10-19-2020

Interesting you could ping the FQDN but not the individual IP addresses. Was that using ping system command?

I would try to hardcode the data interface IP address used as the default gateway by the management interface:

configure network ipv4 manual 192.168.45.45 255.255.255.0 <the data interface IP address>

Baryon324 · ‎10-13-2020

Are there any suggestions?

Marius Gunnerud · ‎10-16-2020

What does the output of show network give you? Do you see the default gateway configured there? Are you able to ping the default gateway using ping system ?

Sounds like you either have a routing issue or the FTD management interface doesn't have a access rule configured to reach the NTP servers.

--
Please remember to select a correct answer and rate helpful posts

Baryon324 · ‎10-18-2020

The default route gateway is set to use the data interfaces.

Baryon324 · ‎10-18-2020

===============[ System Information ]===============
Hostname : HQ_FTD1120
DNS Servers : 208.67.222.222
208.67.220.220
Management port : 8305
IPv4 Default route
Gateway : data-interfaces

==================[ management0 ]===================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 10:B3:D6:20:72:80
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.45.45
Netmask : 255.255.255.0
Gateway : 169.254.1.1
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled