cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7072
Views
30
Helpful
4
Replies

FPR2110 NTP Sync issue with FMC

Nandan Mathure
Level 1
Level 1

Hello!

 

I have an existing network all setup by someone based on FPR2110 firewall. This exisiting firewall is being managed by FDM(on device/local Firewall Device Manager).

I have an additional FTD firewall which needs to be configured such that it can be managed through FMC.

For this I made the connections as shown in the network diagram (diagram doesnt include other irrelevant network details).

All the management network is flat l2 with a gateway configured on the exisiting firewall.

Stage 1:

Once I powered on the NGFW-FTD02, following commands were issued:

 

firepower#connect ftd

>configure network ipv4 manual 10.10.20.5 255.255.255.0 10.10.20.1 

>connfigure manager add 10.10.20.3 PPPPAAAA

show managers >> shows the fmc is added

 

Stage 2:

FMC was configured and I was able to access it correctly without any problem.

I added the FPR2110 to the FMC using the key PPPPAAAA.

Initially, it looked like it was in sync with the NGFW-FTD02 but then suddenly started getting error messages about NTP mismatch or something and if FMC and FTD do not have a time sync then FTD cannot be managed through FMC.

 

Now when I ping from FMC to NGFW-FTD02's  management, i am able to get the response. I am also able to SSH into NGFW-FTD02 .

 

When I ping from NGFW-FTD02 to FMC, the ping fails.

When I ping from NGFW-FTD02  to NGFW-FTD01's default gateway, ping fails.

 

show NTP on NGFW-FTD02  shows that NTP is associated with the local clock.

 

Kindly help me understand what would be the possible list of issues.and how do I sync clock from NGFW-FTD02 without being on FMC (need a command),  also help me understand the routing issue here as I am unable to reach the gateway (mostly gateway /data interface issue) and FMC back from NGFW-FTD02 but reverse way it is able to ping.

 

 

4 Replies 4

Tim Lewis
Level 1
Level 1

I am having the exactly the same issue. We have FTD01 and FTD02. By my mistake, initially I configured FTD02 managed by local Firewall Device Manager. Then, I converted it to be managed by FMC. Now, FTD02 has NTP sync issue.

 

If I use time4.google.com instead of FMC, it will work. So, NTPD on the FTD02 is working correctly. I don't know what to do next... I opened a TAC case but no luck... I think the key is that it was used to be managed by a local Firewall Device Manager...

 

===with google

///NTP status///

root@NYP-EDGE-FW02:~# ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.1 .LOCL. 10 l 10 64 37 0.000 0.000 0.000
*216.239.35.12 .GOOG. 1 u 1 32 1 187.033 15.917 0.151

 

///ntp.conf///

root@FTD02:~# cat /etc/ntp.conf
# KP NTPd client configuration file

server time4.google.com prefer burst iburst minpoll 5 maxpoll 6 # Service Manager NTP Server

# Local Clock as Backup
server 127.127.1.1 # local clock
fudge 127.127.1.1 stratum 10

# default security setting
restrict default kod nomodify notrap noquery
restrict 127.0.0.1 # allow local access

# The driftfile must remain in a place specific to this
# machine - it records the machine specific clock error
# driftfile /opt/cisco/platform/logs/ntp.drift
driftfile /var/lib/ntp/ntp.drift

logconfig=syncall +clockall +sysall +peerall
logfile /opt/cisco/platform/logs/ntp.log

 

 

===with FMC

///NTP status///

root@FTD02:~# ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
127.0.0.2 .INIT. 16 u - 64 0 0.000 0.000 0.000
*127.127.1.1 .LOCL. 10 l 62 64 377 0.000 0.000 0.000

 

///ntp.conf///

root@NYP-EDGE-FW02:~# cat /etc/ntp.conf
# KP NTPd client configuration file

server 127.0.0.2 prefer burst iburst minpoll 5 maxpoll 6 # Service Manager NTP Server

# Local Clock as Backup
server 127.127.1.1 # local clock
fudge 127.127.1.1 stratum 10

# default security setting
restrict default kod nomodify notrap noquery
restrict 127.0.0.1 # allow local access

# The driftfile must remain in a place specific to this
# machine - it records the machine specific clock error
# driftfile /opt/cisco/platform/logs/ntp.drift
driftfile /var/lib/ntp/ntp.drift

logconfig=syncall +clockall +sysall +peerall
logfile /opt/cisco/platform/logs/ntp.log

I was able to fix the problem. You can apply this method if it is not in production since we need to whip the config.

 

1) Remove the problem FTD from FMC

2) Make sure it is no longer registered with FMX, form FTD run "show manager"

3) From FTD, run "configure firewall transparent" to whip the config

4) From FTD, run "configure firewall routed" to back to routed mode

5) Register to FMC

 

root@FTD02:~# ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.0.0.2 45.33.84.208 3 u 9 64 273 0.660 3.817 0.578
127.127.1.1 .LOCL. 10 l 764 64 0 0.000 0.000 0.000

 

Note:

I got the idea how to reset previous config from this link....

https://www.lammle.com/post/reset-cisco-ftd-device-converted-asa-ftd-210041009300-factory-default/

 

 

Cisco does not recommend using FMC as an NTP server. It is best to have both FMC and your managed sensors reference an authoritative (stratum 2 or better) ntp server.

 

By the way when pinging from an FTD device, use the "ping system" command to make sure it uses the management interface. Otherwise it will try to use a data interface which may not yet have a route setup.

I can just confirm this, I had this exact problem and changing to another NTP with better stratum resolved my issue.

br, Micke
Review Cisco Networking for a $25 gift card