Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
2
Helpful
10
Replies

how to add NTP server on firepower :FPR1120-NGFW-K9

suruchigupta555
Level 1
Level 1

‎09-13-2024 05:32 AM

my  FTD is not connected with FMC and is showing a pending state. checked on my FTD , the time was showing wrong and NTP server was also not Sync

# show ntp

NTP Overall Time-Sync Status: Ntp Config Failed

please help me removing my current NTP server and re add it on my FPR1120 running on FTD code using CLI, as I dont have GUI access.

0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

‎09-13-2024 05:40 AM

One by one I think ftd 1120 sync with fmc for NTP not direct 

And for pending between ftd and fmc 

You use data interface?

Any of device behind NAT?

MHM

0 Helpful

suruchigupta555
Level 1
Level 1
In response to MHM Cisco World

‎10-04-2024 02:54 AM

yes, we are using data interface to configure manager of FTD, I tried to remove and re-add the manager but it didnt help. 

0 Helpful

Aref Alsouqi
VIP
VIP

‎09-13-2024 08:42 AM

Can you ping the FMC from the FTD? if you didn't try this please issue the command "ping system < the FMC IP address >" from the FTD CLISH mode and see if you get any replies. If so, I would suggest to check the /var/log/messages file from the FTD in expert mode and see if there is anything flagged that would suggest what the issue could be. Also, you can run some packet capture on the FMC to see if it actually receives any traffic from the FTD on port 8305/tcp which is the port used to establish the sftunnel. Please check this post of mine that shows you how to do it:

Packet Capture in FMC | Blue Network Security (bluenetsec.com)

Usually we see the pending state on the FTD until it is added and registered to the FMC, did you add the FTD on the FMC?

Regarding configuring NTP directly from FTD CLI, I don't believe that is possible unless you want to try to go into expert mode and try to edit the ntp.conf file located into /etc/ directory, and then restart the NTP services.

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-13-2024 10:48 AM

Does "show time" from the cli at least have something close to correct? If not then you may need to go into expert mode and correct at as @Aref Alsouqi suggested.

It should not affect the ability to register unless it's so far off that the certificate pushed from FMC during registration isn't parsed as valid.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Marvin Rhoads

‎09-13-2024 11:00 AM

@Aref Alsouqi @Marvin Rhoads  please check link below ' the ftd 1k/2k ntp config only via fmc' 

If it can via cli' please share command to do that 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215468-configure-verify-and-troubleshoot-netwo.html#toc-hId-1997286687

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎09-13-2024 11:12 AM

The steps in 4c and following at this link: https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118626-technote-firesight-00.html describe how the ntp.conf file looks. By the way, it is located in /ngfw/etc in newer platforms (7.x+).

Using that a a basis, it can potentially be modified (although this should only be a last resort as the time should not drift much even if NTP is not working).

MHM Cisco World
VIP
VIP
In response to Marvin Rhoads

‎09-13-2024 12:49 PM

This for firesight' I make check abd in start guide of 1100 series you can set ntp server.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1100/firepower-1100-gsg/ftd-fmc.html

Maybe this what he looking for

MHM

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎09-14-2024 07:35 PM

The method in the GSG could be used if one switches back to a locally managed (FDM) mode.

MHM Cisco World
VIP
VIP

‎09-15-2024 12:36 AM

5. Time Difference Between FTD and FMC

The FTD-FMC communication is sensitive to time differences between the 2 devices. It is a design requirement to have FTD and FMC synchronized by the same NTP server.

Specifically, when the FTD is installed on a platform like 41xx or 93xx it takes its time settings from the parent chassis (FXOS).



Recommended Action

Ensure that the chassis manager (FCM) and the FMC use the same time source (NTP server)

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html

I dont think it NTP mismatch issue but maybe I am wrong 

MHM

0 Helpful

shariri
Cisco Employee
Cisco Employee

‎10-08-2024 04:36 PM

To get more detailed information regarding NTP configuration, please log in on FTD CLI :

>show support ntp

>show ntp

expert >> sudo su >> 
#cat /etc/ntp.conf

#ntp q

You can check the NTP server's reachability from expert mode if using FQDN please make sure the DNS resolve is working.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card