Solved: You got it . In general , for

Eugene.alekseev · ‎02-17-2016

Hi.

I deploy in my network Cisco FirePOWER Management Center (for VMWare, v. 6.0.0) and attach to it SFR-module from Cisco ASA 5512. After applying time settings in FMC I have a synchronization time errors for my SFR-module ("Time synchronization status for 172.16.x.x is out-of-sync").

This article shows a setting, that allow to sync time SFR-module with FMC. But I don't have an option to set time on managed devices, just for FMC.

Please, tell me how can I fix this problem. Thank you!

Nathan Gagne · ‎03-31-2016

I just went through this with TAC. They pointed out that the documentation states that you should not sync SFR with a virtual FMC. I wound up setting FMC and SFR to pull time from my domain controller and all was well.

View solution in original post

Marvin Rhoads · ‎02-17-2016

Have you licensed both the FMC and the managed ASA?

They have changed that screen in 6.0 and you are right - the option no longer appears to choose the managed devices distinct from the FMC.

However, if you deploy the health policy to the FirePOWER module, it should still pick up that setting.

Eugene.alekseev · ‎03-31-2016

Yes, I've licensed it both.

It looks like everything will be OK with time syncing, but I have a different time in FMC and SFR-module

root@asa-firepower:/Volume/home/admin# date
Thu Mar 31 12:18:07 MSK 2016

root@firepower-mgmt-center:/Volume/home/admin# date
Thu Mar 31 12:17:58 MSK 2016

date command runned at the absolutely same time.

there is a screenshot with my time settings in FMC and output of ntp command at FMC and SFR

pinging between SFR and FMC:

admin@asa-firepower:~$ sudo ping 172.16.13.252
PING 172.16.13.252 (172.16.13.252) 56(84) bytes of data.
64 bytes from 172.16.13.252: icmp_req=1 ttl=64 time=0.362 ms
64 bytes from 172.16.13.252: icmp_req=2 ttl=64 time=0.270 ms
64 bytes from 172.16.13.252: icmp_req=3 ttl=64 time=0.253 ms

FMC:

root@firepower-mgmt-center:/Volume/home/admin# ntpdate -u 0.pool.ntp.org
31 Mar 12:25:26 ntpdate[13323]: adjust time server 178.124.134.106 offset -0.020232 sec
root@firepower-mgmt-center:/Volume/home/admin# ntpq -pn
 remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.1 .SFCL. 14 l 10 64 377 0.000 0.000 0.000
 178.124.134.106 .INIT. 16 u - 1024 0 0.000 0.000 0.000

SFR-module:

> show ntp
NTP Server : 127.0.0.2
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : 598 (seconds)

> expert
admin@asa-firepower:~$ sudo ntpq -pn
Password: 
 remote refid st t when poll reach delay offset jitter
==============================================================================
 127.0.0.2 LOCAL(1) 15 u 612 1024 0 0.000 0.000 0.000

Nathan Gagne · ‎03-31-2016

I just went through this with TAC. They pointed out that the documentation states that you should not sync SFR with a virtual FMC. I wound up setting FMC and SFR to pull time from my domain controller and all was well.

Jetsy Mathew · ‎04-23-2016

You got it . In general , for hardware devices the time sync can be set with the Firesight Management Center . You cannot sync the firepower modules with the Virtual FMC.

#Mat · ‎08-17-2017

Great, thanks for sharing the info of TAC.

.

Synchronizing time between SFR module (ASA5512) and FirePOWER Management Center