Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1212
Views
5
Helpful
7
Replies

Set clock on AIP-SSC-5

bredell
Level 1
Level 1

‎07-08-2012 08:13 AM - edited ‎03-10-2019 05:43 AM

How are you supposed to set the clock on the AIP-SSC-5 module?

There doesn't seem to be any way to set the clock manually, you have to use NTP. The problem is that the module refuses to set the clock if the time it gets through NTP is more than 1000 seconds off. An attempt to do so results in the following error message:

"time correction of 97513010 seconds exceeds sanity limit (1000); set clock manually to the correct UTC time."

The manual says that the module is supposed to sync its time with the appliance when it boots up but I've restart both the module and the appliance several time to no effect.

This is driving me crazy. Surely there has to be some way to set the clock?

/Mats

Labels:
0 Helpful
7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-09-2012 01:52 AM

There is no way to manually set the clock on the module. The module either gets its time from the ASA, or you can configure NTP on it.

However, pls kindly be advised that time can drift apart if you use the ASA as its time source, so it is highly recommended that you use NTP on the AIP module.

Here is the information on setting up time on AIP module for your reference:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_setup.html#wp1161015

0 Helpful

bredell
Level 1
Level 1
In response to Jennifer Halim

‎07-09-2012 08:56 AM

Unfortunately none of the documented methods seem to work.

Rebooting the ASA doesn't update the clock on the AIP.

Rebooting the AIP doesn't update the clock on the AIP.

Manually setting the clock on the ASA doesn't update the clock on the AIP.

Synching the ASA clock using NTP doesn't update the clock on the AIP.

Synching the clock on the AIP using NTP doesn't work since the time difference is too large.

The ASA clock is correct and it syncs using NTP but whatever I do the AIP refuses to set its clock. The clock is about 3 years behind.

We're currently trying using a service account to get access to the Linux prompt on the AIP, maybe we can set the clock manually that way.

Message was edited by: Mats Bredell

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to bredell

‎07-09-2012 11:52 PM

Have you double check the GMT on the AIP? Maybe it is the same time but on different timezone.

Mike

Mike
0 Helpful

bredell
Level 1
Level 1
In response to Maykol Rojas

‎07-10-2012 04:22 AM

As I stated above there's a three year time difference. The ASA has the correct time, the AIP thinks it's June 2009.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to bredell

‎07-10-2012 09:50 AM

Have you try to reset it?

Mike Rojas

Security Technical Lead

Mike
0 Helpful

bredell
Level 1
Level 1
In response to Maykol Rojas

‎07-12-2012 04:34 AM

Now we've managed to solve it. This is what we had to do:

1. Enable NTP sync on the AIP.

2. Login to the unix shell using a service account.

3. Stop the NTP server in unix.

4. Set the clock manually using the date command in unix.

5. Start the NTP server in unix.

6. Logout from the unix shell.

This will make the clock run correctly in the AIP. It will still run correctly after a reload but if the ASA loses power the procedure will probably have to be repeated.

I don't know what's wrong with our AIP but the clock certainly doesn't behave as documented.

Jennifer Halim
Cisco Employee
Cisco Employee
In response to bredell

‎07-12-2012 05:42 AM

Thanks for sharing the steps.

Definitely sounds like a bug to me.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card