cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
2
Helpful
10
Replies

how to add NTP server on firepower :FPR1120-NGFW-K9

suruchigupta555
Level 1
Level 1

my  FTD is not connected with FMC and is showing a pending state. checked on my FTD , the time was showing wrong and NTP server was also not Sync

# show ntp

NTP Overall Time-Sync Status: Ntp Config Failed

please help me removing my current NTP server and re add it on my FPR1120 running on FTD code using CLI, as I dont have GUI access.

10 Replies 10

One by one I think ftd 1120 sync with fmc for NTP not direct 

And for pending between ftd and fmc 

You use data interface?

Any of device behind NAT?

MHM

yes, we are using data interface to configure manager of FTD, I tried to remove and re-add the manager but it didnt help. 

Can you ping the FMC from the FTD? if you didn't try this please issue the command "ping system < the FMC IP address >" from the FTD CLISH mode and see if you get any replies. If so, I would suggest to check the /var/log/messages file from the FTD in expert mode and see if there is anything flagged that would suggest what the issue could be. Also, you can run some packet capture on the FMC to see if it actually receives any traffic from the FTD on port 8305/tcp which is the port used to establish the sftunnel. Please check this post of mine that shows you how to do it:

Packet Capture in FMC | Blue Network Security (bluenetsec.com)

Usually we see the pending state on the FTD until it is added and registered to the FMC, did you add the FTD on the FMC?

Regarding configuring NTP directly from FTD CLI, I don't believe that is possible unless you want to try to go into expert mode and try to edit the ntp.conf file located into /etc/ directory, and then restart the NTP services.

 

 

Marvin Rhoads
Hall of Fame
Hall of Fame

Does "show time" from the cli at least have something close to correct? If not then you may need to go into expert mode and correct at as @Aref Alsouqi suggested.

It should not affect the ability to register unless it's so far off that the certificate pushed from FMC during registration isn't parsed as valid.

@Aref Alsouqi @Marvin Rhoads  please check link below ' the ftd 1k/2k ntp config only via fmc' 

If it can via cli' please share command to do that 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215468-configure-verify-and-troubleshoot-netwo.html#toc-hId-1997286687

The steps in 4c and following at this link: https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118626-technote-firesight-00.html describe how the ntp.conf file looks. By the way, it is located in /ngfw/etc in newer platforms (7.x+).

Using that a a basis, it can potentially be modified (although this should only be a last resort as the time should not drift much even if NTP is not working).

This for firesight' I make check abd in start guide of 1100 series you can set ntp server.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1100/firepower-1100-gsg/ftd-fmc.html

Maybe this what he looking for

MHM

The method in the GSG could be used if one switches back to a locally managed (FDM) mode.

5. Time Difference Between FTD and FMC

The FTD-FMC communication is sensitive to time differences between the 2 devices. It is a design requirement to have FTD and FMC synchronized by the same NTP server.

Specifically, when the FTD is installed on a platform like 41xx or 93xx it takes its time settings from the parent chassis (FXOS).



Recommended Action

Ensure that the chassis manager (FCM) and the FMC use the same time source (NTP server)

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html

I dont think it NTP mismatch issue but maybe I am wrong 

MHM

shariri
Cisco Employee
Cisco Employee

To get more detailed information regarding NTP configuration, please log in on FTD CLI :

>show support ntp

>show ntp

expert >> sudo su >> 
#cat /etc/ntp.conf

#ntp q

You can check the NTP server's reachability from expert mode if using FQDN please make sure the DNS resolve is working.

 

 

Review Cisco Networking for a $25 gift card