Solved: NTP on ASA

estelamathew · ‎01-03-2011

Hello Dear's,

Please find the attached

I have configured Core Switch as a NTP server on ASA firewall, ASA firewall inside interface is connected to Core switch and the IP Address of NTP server is directly connected subnet between the ASA Inside interface and CORE switch.

The Problem is time is not synchronizing on ASA. I have configured the command for NTP on ASA still it dose'nt show's me the IP address of NTP server in below output, I dont think so i have to apply any access-list for NTP port as it is directly connected interface to inside interface of ASA.

sh ntp associations

address ref clock st when poll reach delay offset disp

*~127.127.7.1 127.127.7.1 3 62 64 377 0.0 0.00 0.0

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

#sh ntp status

Clock is synchronized, stratum 4, reference is 127.127.7.1

nominal freq is 250.0000 Hz, actual freq is 250.0005 Hz, precision is 2**19

reference time is D0CC5611.8AA15FDF (14:05:05.541 UTC Mon Jan 3 2011)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.02 msec, peer dispersion is 0.02 msec

Jennifer Halim · ‎01-03-2011

Can you please share the NTP configuration on the ASA and also the NTP configuration on the core switch? as well as "sh clock" from the ASA.

It is recommended that you change the clock settings to be a close as possible to the current time, then synchronise that to the NTP server. That way it will synchronise faster.

View solution in original post

Jigar Dave · ‎01-03-2011

Hello Estela,

first of all you need to set clock on both devices. i.e. ASA and Core switch to same time zone ( what ever applies for you). request you to send sh clock output of ASA and core switch and vlan config of core switch ( Sh vlan database)

I fear that if core switch vlan is considered as NTP server then if coreswitch needs to restart then your all time sync. will fail which can affect certificates associated with ASA for different applications.

I can suggest to create one vlan on ASA ( in zone) and assign one linux server in that vlan, and make that linux box as your NTP server.

- Jigar

View solution in original post

Jigar Dave · ‎01-03-2011

Hello Estela,

I can see some errors in your NTP config.

on Core - it is showing 09:29:27.990 UTC Tue Jan 4 2011

on Firewall - it is showing 13:34:44.588 GMT Tue Jan 4 2011

can you change one of them to the time zone of your region?

This might solve the problem.

- Jigar

View solution in original post

Jennifer Halim · ‎01-03-2011

Can you please share the NTP configuration on the ASA and also the NTP configuration on the core switch? as well as "sh clock" from the ASA.

It is recommended that you change the clock settings to be a close as possible to the current time, then synchronise that to the NTP server. That way it will synchronise faster.

Jigar Dave · ‎01-03-2011

Hello Estela,

first of all you need to set clock on both devices. i.e. ASA and Core switch to same time zone ( what ever applies for you). request you to send sh clock output of ASA and core switch and vlan config of core switch ( Sh vlan database)

I fear that if core switch vlan is considered as NTP server then if coreswitch needs to restart then your all time sync. will fail which can affect certificates associated with ASA for different applications.

I can suggest to create one vlan on ASA ( in zone) and assign one linux server in that vlan, and make that linux box as your NTP server.

- Jigar

estelamathew · ‎01-03-2011

Hello Dear's,

Now it is showing me the Ntp server IP in show ntp association of firewall but not synchronizing the time, There is some twist i have done and i hope that is not affecting, The ntp server for all Access switches is 10.164.12.254 what i have for internal network, BUT for ASA the NTP server is the directly connected interface IP (10.164.17.2) of the inside interface. These Ntp servers IP's are not on different devices but these IP's are on core switch.

Do i have to specify the same IP for NTP server for access switches and firewall.

ON CORE

#Sh run | b ntp
ntp logging
ntp clock-period 17179833
ntp source Vlan12
ntp master 4
ntp update-calendar
end

#Sh clock
09:29:27.990 UTC Tue Jan 4 2011

#sh ntp status
Clock is synchronized, stratum 4, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 250.0005 Hz, precision is 2**19
reference time is D0CD6711.64F24536 (09:29:53.394 UTC Tue Jan 4 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

Firewall

# Sh run | b ntp
ntp server 10.164.17.2 source inside prefer

# sh clock
13:34:44.588 GMT Tue Jan 4 2011

# sh ntp associations
address ref clock st when poll reach delay offset disp
*~10.164.17.2 127.127.7.1 4 701 1024 377 1.6 1.39 16.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

# sh ntp status
Clock is synchronized, stratum 5, reference is 10.164.17.2
nominal freq is 99.9984 Hz, actual freq is 99.9981 Hz, precision is 2**6
reference time is d0cd65c7.b022fcb6 (13:24:23.688 GMT Tue Jan 4 2011)
clock offset is 1.3891 msec, root delay is 1.63 msec
root dispersion is 17.44 msec, peer dispersion is 16.02 msec

Jigar Dave · ‎01-03-2011

Hello Estela,

I can see some errors in your NTP config.

on Core - it is showing 09:29:27.990 UTC Tue Jan 4 2011

on Firewall - it is showing 13:34:44.588 GMT Tue Jan 4 2011

can you change one of them to the time zone of your region?

This might solve the problem.

- Jigar

estelamathew · ‎01-06-2011

Thanks Dear,