Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1963
Views
0
Helpful
6
Replies

Cannot check system time on AD server

David Da Costa
Level 1
Level 1

‎02-01-2016 11:41 PM

I recently had to rebuild a wsa S170 installation, and when I created the real and tried getting the device to join the domain I got this error Cannot check system time on AD server , TAC support advised I need to upgrade to ver 8.54 and to enable SMBv1 on 2012R2 AD servers I have done all this yet the problem still persists, I am at my wits end now and would appreciate any help. The WSA hangs off a DMZ on a Cisco ASA5512 and I have allowed implicit bidirectional traffic between the WSA and the AD servers.

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-02-2016 02:11 AM

This is NTP time synchronisation, right?  If a server is an AD server you don't need to do anything extra on an AD server to enable NTP queries against it.

How about trying to sync against the public NTP pool?  pool.ntp.org.  You need to allow outbound udp/123 from the WSA.

0 Helpful

David Da Costa
Level 1
Level 1
In response to Philip D'Ath

‎02-02-2016 03:37 AM

It is reading the time correctly from the NTP server it is when trying to get the new realm to join the AD , it wants to check the AD servers for Synchronization or if there is a time skew, but it is failing to communicate, I was told by the escalation engineer that it was due to SMB v1 not been enabled on AD 2012 R2.

The proxy is configured on a DMZ of a ASA 5512 while the AD controllers are on the inside network, even though I have an implicit rule between the WSA and AD server I am going to take another device and restore the config onto it and put it on the inside network and see if this will make a difference. 

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to David Da Costa

‎02-02-2016 03:42 AM

Is there a rule to allow it to talk to all AD controllers?

I think I would go with your plan, move it to the inside network, do the AD join, and then move it back.

0 Helpful

Tao Yang
Cisco Employee
Cisco Employee
In response to Philip D'Ath

‎02-02-2016 03:15 PM

WSA is working as a security gateway, normally it will only handle outbound traffic. Therefore usually we don't suggest put WSA into DMZ as it is not necessary for WSA to receive any request inbound from Internet.  

0 Helpful

David Da Costa
Level 1
Level 1
In response to Tao Yang

‎02-09-2016 03:28 AM

Some Feedback , I have configured another device and imported the configuration onto it, and changed the IP , the WSA is now on the same vlan as the AD servers and still getting the same issue wher the WSA cant check the system time on the AD servers to join the domain I am at a loss now..

0 Helpful

PAUL GILBERT ARIAS
Level 5
Level 5
In response to David Da Costa

‎08-19-2016 01:25 PM

I am getting the same problem. Where you able to solve the problem?

0 Helpful
Customers Also Viewed These Support Documents