cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
32195
Views
35
Helpful
21
Replies

How to change NTP server and DNS on FTD ?

sam cook
Spotlight
Spotlight

Hi,

 

I have an issue with changing NTP and DNS values on my HA of FTD2110.

 

The 2 FTDs are connected to my FMC.

 

I could not find how to change the NTP servers or the DNS servers 

 

> show ntp
NTP Server : 127.127.1.1
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : 44h (seconds)

NTP Server : 127.0.0.2
Status : Being Used
Offset : 0.238 (milliseconds)
Last Update : 32 (seconds)

 

> show dns
INFO: no activated FQDN
>

 

HELP please 

21 Replies 21

yogdhanu
Cisco Employee
Cisco Employee

Hi Sam,

 

You need to change the info from platform settings option under Device section of FMC.

Create a new policy and make changes and assign the FTD in that. Deploy the changes to take affect.

 

You may change the DNS settings in FTD from CLI as well.

In the FTD CLISH mode type "configure network dns servers 4.2.2.2" (example)

Then nslookup and use a hostname to verify.

 

Rate if helps,

Yogesh

 

Hi

 Tnak you for your help !

 

I added the NTP server (194.2.0.28) but i still see the 127.127.1.1 and my timezone is still wrong.

 

 

2018-03-16_120031.png

Try restarting the daemons after making the changes.

 

Switch to expert mode and use the following commands for DNS and NTP respectively:

 

sudo /etc/rc.d/init.d/nscd restart

sudo /ngfw/usr/bin/ntpd restart 

Hi,

 

Thank you but still the same :(

 

X1.png

Your sensor's ntp is falling back to using localhost (e.g. its own internal clock).

 

Can your sensor reach the configured NTP server on udp/123?

I can ping it, how can I test port 123 UDP ?

 

X2.png

You can use ntpq from expert mode and look at the peers to see if the configured server is reachable and providing the ntp service.

 

> show ntp
NTP Server                : 103.16.182.23  (time.unisza.edu.my)
Status                    : Available
Offset                    : -11.995 (milliseconds)
Last Update               : 467 (seconds)

NTP Server                : Managing DC
Status                    : Available
Offset                    : 22.754 (milliseconds)
Last Update               : 61 (seconds)

NTP Server                : Managing DC
Status                    : Being Used
Offset                    : 0.479 (milliseconds)
Last Update               : 578 (seconds)

> expert
admin@vftd-new:~$ ntpq
ntpq> peers
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*127.0.0.2       103.16.182.23    3 u  595 1024  377    5.930    0.479   4.219
+time.unisza.edu 87.120.164.97    2 u  484 1024  367   48.632  -11.995   4.327
+202.45.138.123  202.21.137.10    2 u   78 1024  347   26.536   22.754   4.649
ntpq> 

I can see my NTP server ntp0.oleane.net , but what to do to make it primary :

 

x3.png

It being in ".INIT." status means that it is configured but not reachable (or not serving up ntp).

 

Once it successfully initializes it should report a stratum better than the Stratum 10 that your localhost provides. (Stratum 16 is the default for unknown or no NTP.)

 

Okay, thanks for the explanation.

 

Should I add an access policy to allow flow on port UDP 123 ?

 

or maybe is it because I'm using management interface to reach the NTP server ?

 

Maybe FTD is designed to use only outisde or indide interface for NTP ?

The ntp queries from your FTD device should originate from the management interface. That source address must have the udp/123 access to the configured and working ntp server.

Can you please help me as I need to change the NTP server on the FTDv.
I have changed the NTP server on the FMC via the GUI but there is no option to edit the FTD, and now I have an out of sync issue.

@G3000LEE did you do as suggested in one of the earlier responses here? i.e.:

"

You need to change the info from platform settings option under Device section of FMC.

Create a new policy and make changes and assign the FTD in that. Deploy the changes to take affect.

"

Sorry, I am very new to FMC/FTD. I am teaching myself this technology using VM's and only started this week.

I found where to change the NTP setting for the FMC on the FMC. But I then run into issues with the FTDs being out of sync with the FMC. I want to change the FMC and all the FTDs to use my home lab NTP server which is my Cisco switch so all Lab and home hardware are using the same server

 

I am not advanced enough and don't know what you mean by "Create a new policy and make changes and assign the FTD in that.".

Are you saying I can create a ACP, which will change the FTDs NTP server settings?

Review Cisco Networking for a $25 gift card