Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

NTP server unreachable through ASA firewall

Oliver Drew
Level 1
Level 1

‎09-09-2013 09:32 AM - edited ‎03-11-2019 07:35 PM

Hi all,

I've configured a DMZ switch to point to an NTP server on on the Inside, but I get a debug message on the switch that says:

NTP: <NTP server IP address> unreachable

I'm confident that the NTP server is configured properly, as there are more than a dozen other hosts using it, successfully. The difficulty here is that the NTP packets are having to flow from the DMZ to the Inside. I have a rule set on the firewall that permits the IP address of the switch to connect to the IP address of the NTP server as follows:

access-list intdmz1_acl extended permit udp host <IP address of switch> host <IP address of NTP server> eq ntp

I can see the hit counter on this rule incrementing.

The firewall can ping the NTP server, and the NTP server can ping the switch, so I think routing is OK.

Output from the DMZ switch:

switch#show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
~192.168.65.254   0.0.0.0          16     -    64    0     0.0    0.00  16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

switch#show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17

reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

PRNLN-DMZ-SW01#sh run | inc ntp

ntp source Vlan138

ntp server 192.168.65.254

ukhvdc00vs01#sh run | inc ntp

ntp source Vlan65

ntp master 3

ntp update-calendar

ntp server 0.uk.pool.ntp.org

ntp server 1.uk.pool.ntp.org

PRNLN-DMZ-SW01#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec

Does the firewall rule need to permit more than UDP/123 for this to work perhaps?

NTPconfig on DMZ switch:

switch#sh run | inc ntp
ntp source Vlan138
ntp server <IP address of NTP server>

===================

NTP config on NTP server:

NTP_Server#sh run | inc ntp
ntp source Vlan65
ntp master 3
ntp update-calendar
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org

Any guidance welcomed.

Thank you,

Olly

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic