11-03-2011 11:45 AM - edited 03-11-2019 02:45 PM
Hi,
Cisco Pix is able to synchronize with the NTP server.
What could be the issue?
NTP is connected on the inside zone.
configuration
ntp server 10.10.194.165 source inside-zone prefer.
pix can ping the IP and is reachable.
Please advise.
11-03-2011 12:15 PM
Hi,
could this be an issue.
firewall(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
what does it mean
11-03-2011 12:42 PM
Hi Kunal-
What version of code are you running?
11-03-2011 05:11 PM
It could be something to do with what kind of NTP server you are running. I've had no luck with Cisco devices getting time from Microsoft NTP servers. I ended up using Meinberg NTP which is free and pretty simple to install and configure. Works well too.
11-03-2011 08:08 PM
I agree that more information might be helpful.
What kind of device is 10.10.194.165?
Can you post the output of show ntp assoc?
HTH
Rick
11-04-2011 07:13 AM
Hi,
Cisco PIX Firewall Version 6.3(4).
firewall(config)# show ntp association
address ref clock st when poll reach delay offset disp
~10.10.194.165 10.10.97.4 16 737d 64 0 1.0 44030. 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
firewall(config)# show ntp association detail
10.10.194.165 configured, insane, invalid, stratum 16
ref ID 10.10.97.4, time ce921496.e041248d (19:53:42.875 EST Tue Oct 27 2009)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 1024
root delay 113.33 msec, root disp 69.96, reach 0, sync dist 222.290
delay 1.02 msec, offset 44030.2505 msec, dispersion 16000.00
precision 2**18, version 3
org time 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
rcv time 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
xmt time d25e6cb2.ff3852f9 (08:52:50.996 EST Fri Nov 4 2011)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
firewall(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
cfwprd1a(config)#
Thanks
11-04-2011 07:19 AM
Hi,
verify the clock on the firewall is not too far from the clock on the NTP server otherwise it will take ages to synchronize.
configure the clock as close as posible to real time( UTC) then wait a few secs or mins max for the synchronization to take place.
Alain.
11-04-2011 09:00 AM
firewall# ping 10.10.194.165
10.10.194.165 response received -- 0ms
10.10.194.165 response received -- 0ms
10.10.194.165 response received -- 0ms
So it is not far
11-04-2011 07:46 AM
Try using a router or some other device close in proximity, to rule out your current device as the suspect. I would do this first instead of spending anymore time troubleshooting the current scenario.
11-04-2011 09:03 AM
I have another firewall configured the same way in the same inside zone for NTP.
But that also is not syncronized.
11-04-2011 09:37 AM
Hi,
Did you try setting the clock as close as possible to real-time as proposed?
If it still fails can you capture packets on the ntp server to see if it gets the packets from inside interface of ASA?
You can also do a capture on ASA for this traffic
Alain.
11-04-2011 11:35 AM
setting the clock would be like manual. How would NTP work?
11-04-2011 01:09 PM
Hi,
you first set the clock manually as close as possible as real time then your NTP syncing will be done and your clock will always be accurate .I f you want to sync a clock with NTP which has a time really far from ntp server then it will take ages to sync.
Alain.
11-04-2011 01:48 PM
Hi,
I changed the NTP server to 10.10.194.226 and the clocks have synchronized.
But when I revert to 10.10.194.165 it becomes unsynchronized.
So what does this mean?
Does it mean that 10.10.194.165 is having the wrong clock or 10.10.194.165 is taking clock from 10.10.97.4
firewall(config)# show ntp association
address ref clock st when poll reach delay offset disp
~10.10.194.165 10.10.97.4 16 737d 64 0 1.0 44030. 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
11-04-2011 02:06 PM
Hi,
what are these 2 adresses you are syncing to?
Alain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: