Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NTP Sync issues

Hello guys.

I am having issues with NTP syncing on one of my ASA's. I configured the NTP server that is behind another ASA and both ASA's exchange routes via EIGRP.  Any help on this would greatly be apreciated.

thanks

NTP Server IP address: 172.31.254.4 behind ASA 2 inside interface (security lvl 100)

ASA 1 cant sync time:

Fort-ASA01(config)# sh ntp assoc

      address         ref clock     st  when  poll reach  delay  offset    disp

~172.31.254.4     0.0.0.0          16     -    64    0     0.0    0.00  16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Fort-ASA01(config)# sh route | inc 172.31.254.0

D    172.31.254.0 255.255.255.0 [90/28928] via 20.20.20.1, 831:57:30, ospf2

Packet tracer from ASA 1 to ASA 2 Ntp Server

Fort-ASA01(config)# packet-tracer input inside udp 2.2.1.7 1234 172.31.254.4 ntp detailed

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x729dd918, priority=12, domain=capture, deny=false

        hits=39403537059, user_data=0x72d14358, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x734e8ee8, priority=1, domain=permit, deny=false

        hits=24235320824, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.31.254.0    255.255.255.0   ospf2

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x72669f08, priority=500, domain=permit, deny=true

        hits=5, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=2.2.1.7, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: ospf2

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule


Everyone's tags (4)
3 REPLIES
VIP Green

NTP Sync issues

would need to see the configuration to get a better understanding.  You say that you are using EIGRP as the dynamic routing protocol but your outgoing interface is named ospf2?  is the outgoing interface in the packet tracer correct?

--

Please remember to rate and select a correct answer
New Member

NTP Sync issues

Just the nameif states OSPF but its running EIGRP actually. Its strange because i can go into the asa that is having NTP issues and i ping 172.31.254.3 and i get a reply but when i ping 172.31.254.4 nothing. i checked for the rules on the asa's and made sure that there are no specific entries denying any access to the NTP server...

which part of the configuration you need to see ?

thanks

VIP Green

NTP Sync issues

if you could post the inside and ospf2 interface configs, ACL configs as well as the access-group config, any NAT rules if configured, NTP configuration.

Is 172.31.254.4 a windows machine...if so did you turn off windows firewall before pinging? if not turn it off and try to ping again.

Do you see anything in the logs related to this traffic?

--

Please remember to rate and select a correct answer
334
Views
0
Helpful
3
Replies
CreatePlease to create content