cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

13867
Views
15
Helpful
5
Replies
Highlighted

Synchronizing time between SFR module (ASA5512) and FirePOWER Management Center

Hi.

I deploy in my network Cisco FirePOWER Management Center (for VMWare, v. 6.0.0) and attach to it SFR-module from Cisco ASA 5512. After applying time settings in FMC I have a synchronization time errors for my SFR-module ("Time synchronization status for 172.16.x.x is out-of-sync").

This article shows a setting, that allow to sync time SFR-module with FMC. But I don't have an option to set time on managed devices, just for FMC.

Please, tell me how can I fix this problem. Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

I just went through this with

I just went through this with TAC.  They pointed out that the documentation states that you should not sync SFR with a virtual FMC.  I wound up setting FMC and SFR to pull time from my domain controller and all was well.

View solution in original post

5 REPLIES 5
Highlighted
Hall of Fame Guru

Have you licensed both the

Have you licensed both the FMC and the managed ASA?

They have changed that screen in 6.0 and you are right - the option no longer appears to choose the managed devices distinct from the FMC.

However, if you deploy the health policy to the FirePOWER module, it should still pick up that setting.

Highlighted

Yes, I've licensed it both.

Yes, I've licensed it both.

It looks like everything will be OK with time syncing, but I have a different time in FMC and SFR-module

root@asa-firepower:/Volume/home/admin# date
Thu Mar 31 12:18:07 MSK 2016
root@firepower-mgmt-center:/Volume/home/admin# date
Thu Mar 31 12:17:58 MSK 2016

date command runned at the absolutely same time.

there is a screenshot with my time settings in FMC and output of ntp command at FMC and SFR

pinging between SFR and FMC:

admin@asa-firepower:~$ sudo ping 172.16.13.252
PING 172.16.13.252 (172.16.13.252) 56(84) bytes of data.
64 bytes from 172.16.13.252: icmp_req=1 ttl=64 time=0.362 ms
64 bytes from 172.16.13.252: icmp_req=2 ttl=64 time=0.270 ms
64 bytes from 172.16.13.252: icmp_req=3 ttl=64 time=0.253 ms

FMC:

root@firepower-mgmt-center:/Volume/home/admin# ntpdate -u 0.pool.ntp.org
31 Mar 12:25:26 ntpdate[13323]: adjust time server 178.124.134.106 offset -0.020232 sec
root@firepower-mgmt-center:/Volume/home/admin# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.1 .SFCL. 14 l 10 64 377 0.000 0.000 0.000
178.124.134.106 .INIT. 16 u - 1024 0 0.000 0.000 0.000

SFR-module:

> show ntp
NTP Server : 127.0.0.2
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : 598 (seconds)
> expert
admin@asa-firepower:~$ sudo ntpq -pn
Password:
remote refid st t when poll reach delay offset jitter
==============================================================================
127.0.0.2 LOCAL(1) 15 u 612 1024 0 0.000 0.000 0.000
Highlighted
Beginner

I just went through this with

I just went through this with TAC.  They pointed out that the documentation states that you should not sync SFR with a virtual FMC.  I wound up setting FMC and SFR to pull time from my domain controller and all was well.

View solution in original post

Highlighted
Cisco Employee

You got it . In general , for

You got it . In general , for hardware devices the time sync can be set with the Firesight Management Center . You cannot sync the firepower modules with the Virtual FMC.

Highlighted
Frequent Contributor

Great, thanks for sharing the

Great, thanks for sharing the info of TAC.

.