Secondary ASA NTP not synchronizing

Unanswered Question

Hello all,


I have a secondary ASA 5540 (both running 7.2(2)) that is not synchronizing with the NTP server.  The primary is working fine.  We only have one NTP server setup, which I will address, but the I'm at a loss since the primary is working fine.


show run | i ntp
ntp server 132.163.4.101 source LUXATLASA01e prefer


show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec


show ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
~132.163.4.101    0.0.0.0          16     -    64    0     0.0    0.00  16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured



Any suggestions?


- Jeff S.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andhingr Thu, 08/19/2010 - 11:01
User Badges:
  • Cisco Employee,

Are you able to ping the NTP server from standby firewall. Can you grab the output of


debug ntp events

debug ntp packet

I can't ping the IP from either, but I can from my desktop from the inside, so likely pings are being dropped that originate from the ASA.   There are no drops in the log for NTP...


Here's the output from the primary.  I had to set the clock manually to get it to do an update:

router# clock set 14:55:00 19 Aug 2010
router# NTP: peer stratum change


router# show ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
~132.163.4.101    .ACTS.            1   453    64    0    41.8   -0.09  16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
router# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 100.0089 Hz, precision is 2**6
reference time is d017fb83.da869920 (14:50:43.853 DST Thu Aug 19 2010)
clock offset is -0.0871 msec, root delay is 41.82 msec
root dispersion is 15.91 msec, peer dispersion is 15.82 msec


router# show run | i ntp
ntp server 132.163.4.101 source LUXATLASA01e prefer
router# NTP: xmit packet to 132.163.4.101:
leap 3, mode 3, version 3, stratum 0, ppoll 64
rtdel 0ab5 (41.824), rtdsp 0813 (31.540), refid 84a30465 (132.163.4.101)
ref d017fb83.da869920 (14:50:43.853 DST Thu Aug 19 2010)
org 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
rec 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
xmt d017fcc3.f6db0ee0 (14:56:03.964 DST Thu Aug 19 2010)
NTP: rcv packet from 132.163.4.101 to 65.196.178.243 on LUXATLASA01e:
leap 0, mode 4, version 3, stratum 1, ppoll 64
rtdel 0000 (0.000), rtdsp 0000 (0.000), refid 41435453 (65.67.84.83)
ref d017fd51.c915ecb7 (14:58:25.785 DST Thu Aug 19 2010)
org d017fcc3.f6db0ee0 (14:56:03.964 DST Thu Aug 19 2010)
rec d017fd70.c9ea045e (14:58:56.788 DST Thu Aug 19 2010)
xmt d017fd70.c9eb18e8 (14:58:56.788 DST Thu Aug 19 2010)
inp d017fcc4.018bcf43 (14:56:04.006 DST Thu Aug 19 2010)
NTP: 132.163.4.101 reachable
NTP: peer stratum change
NTP: clock reset



Here's the debug from the secondary:

NTP: xmit packet to 132.163.4.101:
leap 3, mode 3, version 3, stratum 0, ppoll 64
rtdel 0000 (0.000), rtdsp 10400 (1015.625), refid 00000000 (0.0.0.0)
ref 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
org 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
rec 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
xmt d017fd78.1faa7e87 (14:59:04.123 DST Thu Aug 19 2010)



Notice there's no receive packet.  The same xmit packet above just keeps repeating...

Thx,

Jeff

andhingr Thu, 08/19/2010 - 12:33
User Badges:
  • Cisco Employee,

Is your Router functioning as the NTP server? From the debugs it seems nothing is coming back from the server and I see only transmits. Can you attach the configuration of router and as well from ASAs.

Update: that IP (132.163.4.101) is a stratum 1 server (time-a.timefreq.bldrdoc.gov) with a restriction of up to 20 queries per hour from the same address.  It may be possible, since both the primary and secondary ASA will have the same source address, that we're exceeding that mark.  Also, we're allowing any client out on the NTP port instead of collapsing all queries to the ASA or an internal router.  All of those queries will also be from the same ASA source address.


I plan to change the NTP server to three different stratum 2 servers with no restrictions and see if that corrects the issue.  We're also working to collapse the NTP queries to an internal address.  I'll post the results after the changes are made.


Thanks for the responses!

andhingr Thu, 08/19/2010 - 12:42
User Badges:
  • Cisco Employee,

Did you configured the standby IP on the interface used for polling the NTP server. Active/standby uses different source addresses. Please send me the config of each device.

Actions

This Discussion