ASA5520 CLOCK diviate from Microsoft AD server

Unanswered Question
Apr 1st, 2008

Dear all,

I setup the remote accesss vpn using active directory ldap, kerbi for authen and authro. It is works well but i am facing frequebt tunnel disconnections.Syslog shows that the clock setting bet AD server and ASA 10 minites different. After set the ASA time back to the AD time tunnel comes up. It is now frequent and i do not want the manual setting everytime.

Please help me how can i setup the time in sync.

Thanks

swami

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rahmant Wed, 04/02/2008 - 03:23

How are both the 5520 and the AD server syncing time now? Are either/both configured for NTP?


Tariq

cisco24x7 Wed, 04/02/2008 - 05:39

I am not familiar with ms Active Directory but

if I am not mistaken, microsoft uses SNTP

(simple NTP) instead of the regular NTP like

Unix/Linux. I use Linux server to sync NTP

between the Pix and the Linux and it works

fine.


Using Microsoft may be is the source of the

problem.


CCIE Security

rahmant Wed, 04/02/2008 - 11:41

As cisco24x7 mentioned, you can set ntp on your ASA to automagically update time. Read up in the config guide for this - in 8.0, the section is under "getting started..." / "configuring basic settings" / "setting the date and time" / "setting the date and time using an ntp server"


From my understanding, AD servers typically already sync time amongst themselves - you should confirm that with your AD admin(s). If they're not using NTP to get updated time from the Internet or radio source, try to figure out why :)


If there's no reason not to, have your AD environment and your ASA sync NTP from a few good sources. You can find some public sources from here: http://www.ntp.org

Actions

This Discussion