cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2613
Views
0
Helpful
15
Replies

NTP

kunal-united
Level 1
Level 1

Hi,

Cisco Pix is able to synchronize with the NTP server.

What could be the issue?

NTP is connected on the inside zone.

configuration

ntp server 10.10.194.165 source inside-zone prefer.

pix can ping the IP and is reachable.

Please advise.

15 Replies 15

kunal-united
Level 1
Level 1

Hi,

could this be an issue.

firewall(config)# show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

what does it mean

Hi Kunal-

What version of code are you running?

jaysoo
Level 1
Level 1

It could be something to do with what kind of NTP server you are running. I've had no luck with Cisco devices getting time from Microsoft NTP servers. I ended up using Meinberg NTP which is free and pretty simple to install and configure. Works well too.

I agree that more information might be helpful.

What kind of device is 10.10.194.165?

Can you post the output of show ntp assoc?

HTH

Rick

HTH

Rick

Hi,

Cisco PIX Firewall Version 6.3(4).

firewall(config)# show ntp association

      address         ref clock     st  when  poll reach  delay  offset    disp

~10.10.194.165    10.10.97.4       16  737d    64    0     1.0  44030.  16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

firewall(config)# show ntp association detail

10.10.194.165 configured, insane, invalid, stratum 16

ref ID 10.10.97.4, time ce921496.e041248d (19:53:42.875 EST Tue Oct 27 2009)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 1024

root delay 113.33 msec, root disp 69.96, reach 0, sync dist 222.290

delay 1.02 msec, offset 44030.2505 msec, dispersion 16000.00

precision 2**18, version 3

org time 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)

rcv time 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)

xmt time d25e6cb2.ff3852f9 (08:52:50.996 EST Fri Nov 4 2011)

filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00

filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00

filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

firewall(config)# show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

cfwprd1a(config)#

Thanks

Hi,

verify the clock on the firewall is not too far from the clock on the NTP server otherwise it will take ages to synchronize.

configure the clock as close as posible to real time( UTC) then wait a few secs or mins max for the synchronization to take place.

Alain.

Don't forget to rate helpful posts.

firewall#                   ping 10.10.194.165

        10.10.194.165 response received -- 0ms

        10.10.194.165 response received -- 0ms

        10.10.194.165 response received -- 0ms

So it is not far

Try using a router or some other device close in proximity, to rule out your current device as the suspect. I would do this first instead of spending anymore time troubleshooting the current scenario.

I have another firewall configured the same way in the same inside zone for NTP.

But that also is not syncronized.

Hi,

Did you try setting the clock as close as possible to real-time as proposed?

If it still fails can you capture packets on the ntp server to see if it gets the packets from inside interface of ASA?

You can also do a capture on ASA for this traffic

Alain.

Don't forget to rate helpful posts.

setting the clock would be like manual. How would NTP work?

Hi,

you first set the clock manually as close as possible as real time then your NTP syncing will be done and your clock will always be accurate .I f you want to sync a clock with NTP which has a time really far from ntp server then it will take ages to sync.

Alain.

Don't forget to rate helpful posts.

Hi,

I changed the NTP server to 10.10.194.226 and the clocks have synchronized.

But when I revert to 10.10.194.165 it becomes unsynchronized.

So what does this mean?

Does it mean that 10.10.194.165 is having the wrong clock or 10.10.194.165 is taking clock from 10.10.97.4

firewall(config)# show ntp association

      address         ref clock     st  when  poll reach  delay  offset    disp

~10.10.194.165    10.10.97.4       16  737d    64    0     1.0  44030.  16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Hi,

what are  these 2 adresses you are syncing to?

Alain

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: