Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2729
Views
0
Helpful
9
Replies

NTP in ASA cannot work

Go to solution
eigrpy
Level 4
Level 4

‎08-08-2015 11:18 AM - edited ‎03-11-2019 11:24 PM

Hi Anyone can take a the commands. Why NTP in ASA cannot work ? Thank you

 

ASA1(config)# sh run ntp  
ntp server 12.1.1.1 source outside
ASA1(config)# 


ASA1(config)# sh ntp statu
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (00:24:16.000 EST Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
 


ASA1(config)# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  down                  down
Internal-Data0/0           unassigned      YES unset  up                    up  
Internal-Data0/1           unassigned      YES unset  up                    up  
Vlan1                      10.1.1.1        YES manual down                  down
Vlan2                      12.1.1.1        YES manual up                    up  
Virtual0                   127.0.0.1       YES unset  up                    up  
ASA1(config)# 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to eigrpy

‎08-08-2015 05:02 PM

You want to configure the ASA to be an NTP-server for other network-devices? No, that's not possible on the ASA. The ASA only has an NTP-client, not an NTP-server as IOS-routers and switches have.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to eigrpy

‎08-10-2015 07:19 AM

The definition of "correct time" can depend on what you want to achieve. For certificate-based authentication, the ASA-time has to be within the validity period of the certificate. For that, even when the time is minutes or even hours wrong, it could work.

For logging it's different. There you want to correlate exactly with other sources of information what happened. There you need a very exact time.

All in all, there are enough time-sources that you can use for NTP. If you have one internally, take that. If not, take on on the internet.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Karsten Iwen
VIP
VIP

‎08-08-2015 03:14 PM

The command is ok, you even don't need the "source outside". But you have to use the IP address of a public NTP-server like 198.24.147.90 (which is 3.north-america.pool.ntp.org) and not your ASA IP address.

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Karsten Iwen

‎08-08-2015 03:48 PM

Thank you so much for your reply. 

With router, we can setup ntp the router itself without other connection to other device. So you mean ASA is different with router ios in ntp, right ? and ASA cannot have its own ntp system ? The ASA that I am talking about is ASA5505

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to eigrpy

‎08-08-2015 05:02 PM

You want to configure the ASA to be an NTP-server for other network-devices? No, that's not possible on the ASA. The ASA only has an NTP-client, not an NTP-server as IOS-routers and switches have.

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Karsten Iwen

‎08-08-2015 05:47 PM

In lab environment, we can set ASA as ntp client without public ip address, right ? 

Sometimes we set NTP for certificate in ASA. So the ntp is not required for the certificate in ASA ? Thank you

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to eigrpy

‎08-09-2015 01:21 AM

When you use the NTP-client, you point the ASA to the IP address of an NTP server. That can be a public or a private address. Very often the switched infrastructure is used as the NTP-server.

You can use the ASA also with certificates without NTP. You only should have a correct time. And using NTP is the easiest way and a best-practice to achieve that.

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Karsten Iwen

‎08-10-2015 06:33 AM

What is "correct time" that you mentioned ? You mean the same time with other device ? If it does not have correct time, the certificate process can work ? Thank you  

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to eigrpy

‎08-10-2015 07:19 AM

The definition of "correct time" can depend on what you want to achieve. For certificate-based authentication, the ASA-time has to be within the validity period of the certificate. For that, even when the time is minutes or even hours wrong, it could work.

For logging it's different. There you want to correlate exactly with other sources of information what happened. There you need a very exact time.

All in all, there are enough time-sources that you can use for NTP. If you have one internally, take that. If not, take on on the internet.

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Karsten Iwen

‎08-10-2015 07:22 AM

Excellent, Thank you!

0 Helpful

Go to solution
burleyman
Level 8
Level 8
In response to eigrpy

‎08-10-2015 08:09 AM

I try and setup NTP as follows.

I point the Domain Controller out to a pool of NTP servers on the internet.

I then point the Core switch to the Domain Controller for its time.

Then I point all the IDF switches and the ASA to the core switch for NTP.

 

Thanks,

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card