02-17-2016 02:58 AM - edited 03-10-2019 06:33 AM
Hi.
I deploy in my network Cisco FirePOWER Management Center (for VMWare, v. 6.0.0) and attach to it SFR-module from Cisco ASA 5512. After applying time settings in FMC I have a synchronization time errors for my SFR-module ("Time synchronization status for 172.16.x.x is out-of-sync").
This article shows a setting, that allow to sync time SFR-module with FMC. But I don't have an option to set time on managed devices, just for FMC.
Please, tell me how can I fix this problem. Thank you!
Solved! Go to Solution.
03-31-2016 05:06 AM
I just went through this with TAC. They pointed out that the documentation states that you should not sync SFR with a virtual FMC. I wound up setting FMC and SFR to pull time from my domain controller and all was well.
02-17-2016 07:43 AM
Have you licensed both the FMC and the managed ASA?
They have changed that screen in 6.0 and you are right - the option no longer appears to choose the managed devices distinct from the FMC.
However, if you deploy the health policy to the FirePOWER module, it should still pick up that setting.
03-31-2016 02:31 AM
Yes, I've licensed it both.
It looks like everything will be OK with time syncing, but I have a different time in FMC and SFR-module
root@asa-firepower:/Volume/home/admin# date
Thu Mar 31 12:18:07 MSK 2016
root@firepower-mgmt-center:/Volume/home/admin# date
Thu Mar 31 12:17:58 MSK 2016
date command runned at the absolutely same time.
there is a screenshot with my time settings in FMC and output of ntp command at FMC and SFR
pinging between SFR and FMC:
admin@asa-firepower:~$ sudo ping 172.16.13.252
PING 172.16.13.252 (172.16.13.252) 56(84) bytes of data.
64 bytes from 172.16.13.252: icmp_req=1 ttl=64 time=0.362 ms
64 bytes from 172.16.13.252: icmp_req=2 ttl=64 time=0.270 ms
64 bytes from 172.16.13.252: icmp_req=3 ttl=64 time=0.253 ms
FMC:
root@firepower-mgmt-center:/Volume/home/admin# ntpdate -u 0.pool.ntp.org
31 Mar 12:25:26 ntpdate[13323]: adjust time server 178.124.134.106 offset -0.020232 sec
root@firepower-mgmt-center:/Volume/home/admin# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.1 .SFCL. 14 l 10 64 377 0.000 0.000 0.000
178.124.134.106 .INIT. 16 u - 1024 0 0.000 0.000 0.000
SFR-module:
> show ntp
NTP Server : 127.0.0.2
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : 598 (seconds)
> expert
admin@asa-firepower:~$ sudo ntpq -pn
Password:
remote refid st t when poll reach delay offset jitter
==============================================================================
127.0.0.2 LOCAL(1) 15 u 612 1024 0 0.000 0.000 0.000
03-31-2016 05:06 AM
I just went through this with TAC. They pointed out that the documentation states that you should not sync SFR with a virtual FMC. I wound up setting FMC and SFR to pull time from my domain controller and all was well.
04-23-2016 05:09 AM
You got it . In general , for hardware devices the time sync can be set with the Firesight Management Center . You cannot sync the firepower modules with the Virtual FMC.
08-17-2017 08:05 PM
Great, thanks for sharing the info of TAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide