Solved: FTD Daemon(service) restart

John500 · ‎06-06-2019

Hi,

How can i restart the ntpd Daemon in FTD ?

Should I do it from FMC cli or direct from FTD cli ?

The FMC is used to manage many FTDs, so how do i restart the service in just one FTD ?

Thanks in advance.

Marvin Rhoads · ‎06-25-2019

FTD-generated syslog messages will be timestamped with either legacy or RFC 5424 format (according to platform settings applied to the managed device).

That is noted in the FMC configuration guide:

Select the Timestamp Format for the syslog message:
• The Legacy (MMM dd yyyy HH:mm:ss) format is the default format for syslog messages.
When this timestamp format is selected, the messages do not indicate the time zone, which is always UTC.
• RFC 5424 (yyyy-MM-ddTHH:mm:ssZ) uses the ISO 8601 timestamp format as specified in the RFC 5425 syslog
format.
If you select the RFC 5424 format, a “Z” is appended to the end of each timestamp to indicate that the timestamp
uses the UTC time zone.

You cannot change them to make the syslog messages reflect a different timezone. Perhaps if you use RFC 5424 format your target system can interpret the "Z" which denotes "Zulu" or UTC (GMT) time zone and adjust it's intake accordingly.

I did confirm with a packet capture that change does reflect in the syslog messages.

The FMC displays (Connection Events etc.) will show time adjusted to match the User Preferences of the currently logged in user. All event storage and processing however is done using UTC time.

View solution in original post

Marvin Rhoads · ‎06-06-2019

From the device cli in expert mode:

sudo pmtool restartbyid ntpd

Reference:

https://www.cisco.com/c/en_intl/support/docs/security/firesight-management-center/118626-technote-firesight-00.html#anc10

John500 · ‎06-06-2019

Thanks Marvin for the quick revert.

If i understood correctly, the below command to be applied on FMC, right ? So this will make an impact on all the FTDs connected on this FMC.

Since all FTD's carrying production traffic, I just want to test only in one FTD to confirm whether the ntpd restart will resolve my Time mismatch issue between FTD and FMC.

Let me know u need any further details. Thanks

Marvin Rhoads · ‎06-06-2019

You run the command on any FMC, FTD device, Firepower service module or classic Firepower device where you need to restart the daemon.

Running it on any one of them (even the FMC) does not affect any others.

Generally it's not recommended to use FMC as the NTP server for your managed devices. Best practice is to use a more authoritative source for all of them (i.e., something Stratum 1 or close to it).

John500 · ‎06-06-2019

I had applied this command on FTD - sudo pmtool restartbyid ntpd

But still the NTP details shown as below (203.0.113.126, instead of 10.255.x.x),

> show ntp
NTP Server : 203.0.113.126
Status : Being Used
Offset : -0.003 (milliseconds)
Last Update : 53 (seconds)

> expert
admin@ABCFW1:/opt/bootcli/cisco/cli/bin$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*203.0.113.126 10.255.x.x 3 u 18 64 377 0.078 -0.003 0.006

Marvin Rhoads · ‎06-06-2019

Can you show me the NTP setting in FMC that deployed to your FTD appliance?

It can be seen at:

Devices > Platform Settings > (Select and edit the setting that's deployed to your device) > Time Synchronization

John500 · ‎06-06-2019

Set My Clock : Via NTP from Management Center

Marvin Rhoads · ‎06-07-2019

What model is the managed device that has the incorrect setting?

It's generally not recommended to use FMC as an NTP server as it will typically be relatively unstable for that purpose (and a higher stratum than any dedicated ntp server).

John500 · ‎06-07-2019

Hi Marvin,

As requested below,

> show version
------------------[ ]-------------------
Model : Cisco Firepower 4110 Threat Defense (76) Version 6.2.3.6 (Build 37)

We have more than 20+ FTD's connected across multiple FMC's and all were having with the same issue.

So when FMC is not recommended to use as NTP server, is it suggested to use a dedicated NTP for FTDs (Via NTP from) ?

Thanks in advance.

Marvin Rhoads · ‎06-07-2019

On the 4100 and 9300 series, the NTP server is not set via Firepower Management Center (FMC).

It is set from the Firepower Chassis Manager (FCM):

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/web-guide/b_GUI_FXOS_ConfigGuide_221/platform_settings.html#task_B9A4594C97FC438487ECCD3FC9D17A12

John500 · ‎06-11-2019

Hi Marvin,

I had tried the changes per you suggested, but still getting the same (refer below).

a) Firepower Chassis Manager and FMC configured with same NTP. (Screenshot attached)

b) FTD's NTP configured as Firepower Chassis manager IP. (Screenshot attached)

> show ntp
NTP Server : Managing DC
Status : Being Used
Offset : -0.001 (milliseconds)
Last Update : 46 (seconds)

>
> expert
admin@FW1:/opt/bootcli/cisco/cli/bin$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*203.0.113.126 10.x.89.20 3 u 61 64 377 0.083 -0.001 0.007

Thanks,

Marvin Rhoads · ‎06-11-2019

Your latest screenshot shows the FTD device synchronized to 10.x.89.20. Isn't that what you wanted?

John500 · ‎06-11-2019

Hi Marvin,

Even my first post also shows an similar output.

The issue still persists. The time still not matches between the FTD and FCM, there's a time difference of 2 hours (refer below).

Firepower Chassis Manager :-

FW1-A# show clock
Wed Jun 12 08:43:18 CEST 2019

FTD :-

> show time
UTC - Wed Jun 12 06:43:55 UTC 2019

Thanks

Marvin Rhoads · ‎06-12-2019

The cli of FTD will always show UTC timezone.

It does not affect the user-facing aspects such as event timestamps etc. See confirmation from @yogdhanu Here:

https://community.cisco.com/t5/firepower/ftd-2100-ntp-timezone-issue/td-p/3371929

If you want to set timzeone on FCM to also use UTC you can do it as described here:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/fp2100/asa-2100-gsg/firepower-chassis-manager.html#id_56427

Time zones are distinct from NTP. NTP synchronization will always reflect UTC and any time zone setting is strictly local to the device.

John500 · ‎06-25-2019

Sorry for the late response.

"It does not affect the user-facing aspects such as event timestamps etc"

I was not able to follow the above statement. Since FTD uses UTC, the timestamps on the logs received on Syslog server is 2 hours late than the local time. Hence, our external real-time security scanner doesn't process these logs (any logs late more than 5 mins will not be processed) as the timestamp says its 2 hours old than the local time.

In my setup - on FTD (under platform settings) NTP configured as Firepower Chassis Manager IP with default UTC timezone (this is 2 hours behind the local time).

On FCM, NTP configured as external NTP with local timezone. So if i change the timezone in FCM, the timestamp here also

will be 2 hours behind the local time.

How i can get the FTD logs on syslog with Local timezone ??/

Thanks in advance.