Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3286
Views
0
Helpful
5
Replies

FTD: NTP not working on data interface

Leon1
Level 1
Level 1

‎01-31-2018 03:47 AM - edited ‎02-21-2020 07:14 AM

Hello!

 

in Firepower Threat Defense Device Manager you could configure two things:

#1: NTP Servers to use

#2: Management interface: use data interface

 

I configured an Identity Realm which works fine on the data interface, but not the NTP. The NTP Service is not working over the data interface in my environment. I am using standard NTP pool servers, nothing special.

 

I figured out, that the implementation does not support using the data interface for contacting the NTP Servers. It seems so. I looked in the logfiles and found this:

 

2018-01-31 10:35:44 ntpd[<PID>]: Error resolving 0.pool.ntp.org: Name or service not known (-2)
2018-01-31 10:35:44 ntpd[<PID>]: 31 Jan 10:35:43 ntpdate[5165]: Can't find host 0.pool.ntp.org: Name or service not known (-2)
2018-01-31 10:35:44 ntpd[<PID>]: 31 Jan 10:35:43 ntpdate[5165]: no servers can be used, exiting
2018-01-31 10:35:46 ntpd[<PID>]: Found AF_INET 192.168.45.45 on interface br1 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf.pm line 962.
2018-01-31 10:35:46 ntpd[<PID>]: Using interface br1 at /ngfw/usr/local/sf/bin/ntpd.pl line 229.

 

I checked ifconfig and confirmed br1 is the management interface.

 

So I digged into the file "/ngfw/usr/local/sf/bin/ntpd.pl"and found the part which selects the interface to communicate with the NTP Servers. I found this code part:

 

    #This needs some update - probably this interface should be configurable
    #Actually the only thing it does - it prevents ntpd usage of wild binding overall.
    my $mgmt      = SF::Util::get_management_interface();
    my $mgmt_ipv4 = SF::NetworkConf::getManagementInterface4proto("AF_INET");
    if($mgmt_ipv4)
    {
        warn "Using interface $mgmt_ipv4";
        $mgmt = $mgmt_ipv4;
    }


It seems to be an open development. Can anybody confirm my understanding?

 

also I tried to run a ntp Server on the Identity Realm server, as I am sure it is reachable, but this does not work also.

 

Also when I use "show ntp" or "system support ntp" it shows me the following:

"NTP not configured on this system.
Please configure and apply System Policy from managing Defense Center."

 

when I repeat the commands, I will get an another result like this:

 

> system support ntp
NTP not configured on this system.
Please configure and apply System Policy from managing Defense Center.

> system support ntp
NTP Server                : 2a02:c205:2009:8290::1  (2009)
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : - (seconds)

NTP Server                : 138.201.135.108  (srv23.globale-gruppe.com)
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : - (seconds)

NTP Server                : 192.168.2.8  (Cannot Resolve)
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : - (seconds)

Results of 'ntpq -pn'
remote                    : 192.168.2.8
refid                     : .INIT.
st                        : 16
t                         : u
when                      : -
poll                      : 64
reach                     : 0
delay                     : 0.000
offset                    : 0.000
jitter                    : 0.000

remote                    : 138.201.135.108
refid                     : .INIT.
st                        : 16
t                         : u
when                      : -
poll                      : 64
reach                     : 0
delay                     : 0.000
offset                    : 0.000
jitter                    : 0.000

remote                    : 2a02:c205:2009:
refid                     : .INIT.
st                        : 16
t                         : u
when                      : -
poll                      : 64
reach                     : 0
delay                     : 0.000
offset                    : 0.000
jitter                    : 0.000

Results of ntpq -c 'rv'
associd=0 status=c016 leap_alarm, sync_unspec, 1 event, restart,
version="ntpd 4.2.8p9@1.3265-o Thu Aug 31 18:55:42 UTC 2017 (1)",
processor="x86_64", system="Linux/3.10.62-ltsi-WR6.0.0.29_standard",
leap=11, stratum=16, precision=-21, rootdelay=0.000, rootdisp=0.540,
refid=INIT, reftime=00000000.00000000  Thu, Feb  7 2036  6:28:16.000,
clock=de1c2a58.eeea0404  Wed, Jan 31 2018 11:43:20.933, peer=0, tc=3,
mintc=3, offset=0.000000, frequency=-66.082, sys_jitter=0.000000,
clk_jitter=0.000, clk_wander=0.000

Results of 'ntpq -c as'
ind                       : 1
assid                     : 13403
/ngfw/usr/bin/ntpq: read: Connection refused
/ngfw/usr/bin/ntpq: read: Connection refused
/ngfw/usr/bin/ntpq: read: Connection refused
status                    : 8011
conf                      : yes
reach                     : no
auth                      : none
condition                 : reject
last_event                : mobilize
cnt                       : 1

Results of /ngfw/usr/bin/ntpq -c "rv "

ind                       : 2
assid                     : 13404
status                    : 8011
conf                      : yes
reach                     : no
auth                      : none
condition                 : reject
last_event                : mobilize
cnt                       : 1

Results of /ngfw/usr/bin/ntpq -c "rv "

ind                       : 3
assid                     : 13405
status                    : 8011
conf                      : yes
reach                     : no
auth                      : none
condition                 : reject
last_event                : mobilize
cnt                       : 1

Results of /ngfw/usr/bin/ntpq -c "rv "

>
> show ntp
NTP Server                : 2a01:4f8:210:5323::2  (210)
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : - (seconds)

NTP Server                : 89.163.241.149  (jdtec.eu)
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : - (seconds)

NTP Server                : 192.168.2.8
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : - (seconds)

What can I do to get the NTP running without using the management interface?

 

Cheers

Leon

1 person had this problem
Labels:
0 Helpful
5 Replies 5

ledzepp817
Level 1
Level 1

‎02-19-2018 11:14 AM

Hey Leon,

 

Did you ever get this figured out?  I am having the same issue.

0 Helpful

Leon1
Level 1
Level 1
In response to ledzepp817

‎02-22-2018 05:51 AM

No. NTP is still grey in Device Manager. I am unable to achieve anything. Not by CLI or GUI.
0 Helpful

Tim Lillis
Level 1
Level 1

‎02-20-2018 12:11 PM

It must be a bug i have the same issue.

0 Helpful

Crushgeek
Level 1
Level 1

‎05-29-2018 09:13 PM

In the Firepower Device Manager, under Device > System Settings > Management Interface, select "Use Unique Gateways for the Management Interface" and enter the inside gateway address (e.g. 192.168.1.1)

 

Enjoy!

 

Frank

0 Helpful

Leon1
Level 1
Level 1
In response to Crushgeek

‎06-21-2018 01:54 AM

It is fixed in actual FTD build.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card