Thanks Marvin for the quick revert.

If i understood correctly, the below command to be applied on FMC, right ? So this will make an impact on all the FTDs connected on this FMC.

Since all FTD's carrying production traffic, I just want to test only in one FTD to confirm whether the ntpd restart will resolve my Time mismatch issue between FTD and FMC. 

Let  me know u need any further details. Thanks

You run the command on any FMC, FTD device, Firepower service module or classic Firepower device where you need to restart the daemon.

Running it on any one of them (even the FMC) does not affect any others.

Generally it's not recommended to use FMC as the NTP server for your managed devices. Best practice is to use a more authoritative source for all of them (i.e., something Stratum 1 or close to it).

I had applied this command on FTD - sudo pmtool restartbyid ntpd

But still the NTP details shown as below (203.0.113.126, instead of 10.255.x.x),

> show ntp
NTP Server : 203.0.113.126
Status : Being Used
Offset : -0.003 (milliseconds)
Last Update : 53 (seconds)

> expert
admin@ABCFW1:/opt/bootcli/cisco/cli/bin$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*203.0.113.126 10.255.x.x 3 u 18 64 377 0.078 -0.003 0.006

Can you show me the NTP setting in FMC that deployed to your FTD appliance?

It can be seen at:

Devices > Platform Settings > (Select and edit the setting that's deployed to your device) > Time Synchronization

Set My Clock :   Via NTP from Management Center

What model is the managed device that has the incorrect setting?

It's generally not recommended to use FMC as an NTP server as it will typically be relatively unstable for that purpose (and a higher stratum than any dedicated ntp server).

Hi Marvin,

As requested below,

> show version
------------------[  ]-------------------
Model : Cisco Firepower 4110 Threat Defense (76) Version 6.2.3.6 (Build 37)

We have more than 20+ FTD's connected across multiple FMC's and all were having with the same issue.

So when FMC is not recommended to use as NTP server, is it suggested to use a dedicated NTP for FTDs (Via NTP from) ?

Thanks in advance. 

On the 4100 and 9300 series, the NTP server is not set via Firepower Management Center (FMC).

It is set from the Firepower Chassis Manager (FCM):

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/web-guide/b_GUI_FXOS_ConfigGuide_221/platform_settings.html#task_B9A4594C97FC438487ECCD3FC9D17A12

Hi Marvin,

I had tried the changes per you suggested, but still getting the same (refer below).

a) Firepower Chassis Manager and FMC configured with same NTP. (Screenshot attached)

b) FTD's NTP configured as Firepower Chassis manager IP. (Screenshot attached)

> show ntp
NTP Server : Managing DC
Status : Being Used
Offset : -0.001 (milliseconds)
Last Update : 46 (seconds)

>
> expert
admin@FW1:/opt/bootcli/cisco/cli/bin$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*203.0.113.126 10.x.89.20 3 u 61 64 377 0.083 -0.001 0.007

Thanks,

Your latest screenshot shows the FTD device synchronized to 10.x.89.20. Isn't that what you wanted?

Hi Marvin,

Even my first post also shows an similar output.

The issue still persists. The time still not matches between the FTD and FCM, there's a time difference of 2 hours (refer below).

Firepower Chassis Manager :-

                FW1-A# show clock
                Wed Jun 12 08:43:18 CEST 2019

FTD :-

             > show time
             UTC - Wed Jun 12 06:43:55 UTC 2019

Thanks

The cli of FTD will always show UTC timezone.

It does not affect the user-facing aspects such as event timestamps etc. See confirmation from @yogdhanu Here:

https://community.cisco.com/t5/firepower/ftd-2100-ntp-timezone-issue/td-p/3371929

If you want to set timzeone on FCM to also use UTC you can do it as described here:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/fp2100/asa-2100-gsg/firepower-chassis-manager.html#id_56427

Time zones are distinct from NTP. NTP synchronization will always reflect UTC and any time zone setting is strictly local to the device.

Sorry for the late response.

"It does not affect the user-facing aspects such as event timestamps etc"

I was not able to follow the above statement. Since FTD uses UTC, the timestamps on the logs received on Syslog server is 2 hours late than the local time. Hence, our external real-time security scanner doesn't process these logs (any logs late more than 5 mins will not be processed) as the timestamp says its 2 hours old than the local time.

In my setup - on FTD (under platform settings) NTP configured as Firepower Chassis Manager IP with default UTC timezone (this is 2 hours behind the local time).

On FCM, NTP configured as external NTP with local timezone. So if i change the timezone in FCM, the timestamp here also

will be 2 hours behind the local time.

How i can get the FTD logs on syslog with Local timezone ??/

Thanks in advance.