01-31-2018 03:47 AM - edited 02-21-2020 07:14 AM
Hello!
in Firepower Threat Defense Device Manager you could configure two things:
#1: NTP Servers to use
#2: Management interface: use data interface
I configured an Identity Realm which works fine on the data interface, but not the NTP. The NTP Service is not working over the data interface in my environment. I am using standard NTP pool servers, nothing special.
I figured out, that the implementation does not support using the data interface for contacting the NTP Servers. It seems so. I looked in the logfiles and found this:
2018-01-31 10:35:44 ntpd[<PID>]: Error resolving 0.pool.ntp.org: Name or service not known (-2)
2018-01-31 10:35:44 ntpd[<PID>]: 31 Jan 10:35:43 ntpdate[5165]: Can't find host 0.pool.ntp.org: Name or service not known (-2)
2018-01-31 10:35:44 ntpd[<PID>]: 31 Jan 10:35:43 ntpdate[5165]: no servers can be used, exiting
2018-01-31 10:35:46 ntpd[<PID>]: Found AF_INET 192.168.45.45 on interface br1 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf.pm line 962.
2018-01-31 10:35:46 ntpd[<PID>]: Using interface br1 at /ngfw/usr/local/sf/bin/ntpd.pl line 229.
I checked ifconfig and confirmed br1 is the management interface.
So I digged into the file "/ngfw/usr/local/sf/bin/ntpd.pl"and found the part which selects the interface to communicate with the NTP Servers. I found this code part:
#This needs some update - probably this interface should be configurable #Actually the only thing it does - it prevents ntpd usage of wild binding overall. my $mgmt = SF::Util::get_management_interface(); my $mgmt_ipv4 = SF::NetworkConf::getManagementInterface4proto("AF_INET"); if($mgmt_ipv4) { warn "Using interface $mgmt_ipv4"; $mgmt = $mgmt_ipv4; }
It seems to be an open development. Can anybody confirm my understanding?
also I tried to run a ntp Server on the Identity Realm server, as I am sure it is reachable, but this does not work also.
Also when I use "show ntp" or "system support ntp" it shows me the following:
"NTP not configured on this system.
Please configure and apply System Policy from managing Defense Center."
when I repeat the commands, I will get an another result like this:
> system support ntp NTP not configured on this system. Please configure and apply System Policy from managing Defense Center. > system support ntp NTP Server : 2a02:c205:2009:8290::1 (2009) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) NTP Server : 138.201.135.108 (srv23.globale-gruppe.com) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) NTP Server : 192.168.2.8 (Cannot Resolve) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) Results of 'ntpq -pn' remote : 192.168.2.8 refid : .INIT. st : 16 t : u when : - poll : 64 reach : 0 delay : 0.000 offset : 0.000 jitter : 0.000 remote : 138.201.135.108 refid : .INIT. st : 16 t : u when : - poll : 64 reach : 0 delay : 0.000 offset : 0.000 jitter : 0.000 remote : 2a02:c205:2009: refid : .INIT. st : 16 t : u when : - poll : 64 reach : 0 delay : 0.000 offset : 0.000 jitter : 0.000 Results of ntpq -c 'rv' associd=0 status=c016 leap_alarm, sync_unspec, 1 event, restart, version="ntpd 4.2.8p9@1.3265-o Thu Aug 31 18:55:42 UTC 2017 (1)", processor="x86_64", system="Linux/3.10.62-ltsi-WR6.0.0.29_standard", leap=11, stratum=16, precision=-21, rootdelay=0.000, rootdisp=0.540, refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 6:28:16.000, clock=de1c2a58.eeea0404 Wed, Jan 31 2018 11:43:20.933, peer=0, tc=3, mintc=3, offset=0.000000, frequency=-66.082, sys_jitter=0.000000, clk_jitter=0.000, clk_wander=0.000 Results of 'ntpq -c as' ind : 1 assid : 13403 /ngfw/usr/bin/ntpq: read: Connection refused /ngfw/usr/bin/ntpq: read: Connection refused /ngfw/usr/bin/ntpq: read: Connection refused status : 8011 conf : yes reach : no auth : none condition : reject last_event : mobilize cnt : 1 Results of /ngfw/usr/bin/ntpq -c "rv " ind : 2 assid : 13404 status : 8011 conf : yes reach : no auth : none condition : reject last_event : mobilize cnt : 1 Results of /ngfw/usr/bin/ntpq -c "rv " ind : 3 assid : 13405 status : 8011 conf : yes reach : no auth : none condition : reject last_event : mobilize cnt : 1 Results of /ngfw/usr/bin/ntpq -c "rv " >
> show ntp NTP Server : 2a01:4f8:210:5323::2 (210) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) NTP Server : 89.163.241.149 (jdtec.eu) Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds) NTP Server : 192.168.2.8 Status : Unknown Offset : 0.000 (milliseconds) Last Update : - (seconds)
What can I do to get the NTP running without using the management interface?
Cheers
Leon
02-19-2018 11:14 AM
Hey Leon,
Did you ever get this figured out? I am having the same issue.
02-22-2018 05:51 AM
02-20-2018 12:11 PM
It must be a bug i have the same issue.
05-29-2018 09:13 PM
In the Firepower Device Manager, under Device > System Settings > Management Interface, select "Use Unique Gateways for the Management Interface" and enter the inside gateway address (e.g. 192.168.1.1)
Enjoy!
Frank
06-21-2018 01:54 AM
It is fixed in actual FTD build.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide