NTP Request Reply takes two minutes

YaqoobKhalid4217 · ‎07-18-2023

Appliance Model : Cisco ASA 5508-X
Firepower Status : Not used
ASA Version : 9.16.4

I am having trouble using NTP to synchronize time on port 123. I have set up a custom NTP server that listens to port 122, and I have verified that the synchronization works fine using the nettime client on a Windows machine. However, when I try to sync time on port 123, I encounter issues.

I checked the debug monitor on ASDM and noticed that the request is being made to the specific NTP server, but the reply takes approximately two minutes to show up on the monitor.

To clarify, I am trying to sync time using NTP, but I am only experiencing issues with port 123. I have set up a custom NTP server that works fine on port 122, but the problem arises when I use port 123. I have checked the debug monitor on the ASDM, and I can see that the request is being sent to the NTP server, but the response takes a long time to show up.

To fix this issue, I have checked the network and firewall settings to ensure that they are not causing any delays or blocking NTP traffic on port 123. I have also verified that the NTP server is correctly configured and responding to requests in a timely manner. Additionally, I have tried using a different NTP server and client to see if the issue persists.

time between request and reply to show up

Flavio Miranda · ‎07-18-2023

Hi @YaqoobKhalid4217

The Tear Down on the log must refers to the UPD session and not related to the NTP. But, sounds to me that the firewall is actually handling the NTP differently when you use the standard port and it is ignoring when doing not standard port.

I would recommend you to add inspection on the NTP service.

YaqoobKhalid4217 · ‎07-18-2023

could you explain more ? UPD Session
where to add the inspection

Flavio Miranda · ‎07-18-2023

tear down happens since its reached the global timeout value for an UDP connection which is 2 minutes

Check it with show run timout

I suggested the inspection as a mean to allow the NTP connection but it seems the ntp is not available for inspection.

YaqoobKhalid4217 · ‎07-19-2023

ASA# show run timeout

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

this what i got
do i need to do any thing ?

Flavio Miranda · ‎07-19-2023

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

The value you see comes from this line.

But no, change the time out value will not help you. We need to figure out why the firewall is blocking the protocol on port 123 and not in port 122.

The inspection helps in situation like this but it seems the ASA does not have preemption for NTP. Can you check?

hostname(config)# policy-map test
hostname(config-pmap)# class ntp
hostname(config-pmap-c)# inspect ntp

YaqoobKhalid4217 · ‎07-19-2023

This is what i got as output

ASA(config)# policy-map test
ASA(config-pmap)# class ntp
ERROR: % class-map ntp not configured

Flavio Miranda · ‎07-19-2023

Yeah, that's what I though.

Is there any chance the firewall is denying the traffic on port 123 ?

YaqoobKhalid4217 · ‎07-19-2023

i tried to add the port 123 on a incoming access rule that points to 172.31.192.15 but that didn't fix the problem
also the weird thing is that the issue appears from no where with no changes on the firewall, before that things were working fine with not issues

Flavio Miranda · ‎07-19-2023

And the server is listening on port 123?

YaqoobKhalid4217 · ‎07-19-2023

do you mean the custom server is setup ? to temporary solve the issue

Flavio Miranda · ‎07-19-2023

I mean, the NTP service on your NTP server is working fine on port 123 ?

YaqoobKhalid4217 · ‎07-19-2023

Yes it’s working fine but i can sync with it using the default ntp port because the asa blocks the traffic so this why i set the port 122 and done the translation

I can even make the other firewall acts as a proxy and point to any public ntp server that uses port 123

Flavio Miranda · ‎07-19-2023

I found a solution on the internet and if you want you can test.

The dude created a static NAT only for NTP like below. You may try on your scenario.

static (dmz,outside) udp interface ntp 192.168.240.240 ntp netmask 255.255.255.255

https://serverfault.com/questions/512821/ntp-client-on-centos-5-fails-behind-cisco-asa-firewall

YaqoobKhalid4217 · ‎07-19-2023

nat (dmz,outside) source static any TVuPack2 service 123-UDP 123-UDP unidirectional

i tried this but didn't help