Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NTP

Hi,

Cisco Pix is able to synchronize with the NTP server.

What could be the issue?

NTP is connected on the inside zone.

configuration

ntp server 10.10.194.165 source inside-zone prefer.

pix can ping the IP and is reachable.

Please advise.

15 REPLIES
New Member

NTP

Hi,

could this be an issue.

firewall(config)# show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

what does it mean

New Member

NTP

Hi Kunal-

What version of code are you running?

New Member

Re: NTP

It could be something to do with what kind of NTP server you are running. I've had no luck with Cisco devices getting time from Microsoft NTP servers. I ended up using Meinberg NTP which is free and pretty simple to install and configure. Works well too.

Hall of Fame Super Silver

NTP

I agree that more information might be helpful.

What kind of device is 10.10.194.165?

Can you post the output of show ntp assoc?

HTH

Rick

New Member

Re: NTP

Hi,

Cisco PIX Firewall Version 6.3(4).

firewall(config)# show ntp association

      address         ref clock     st  when  poll reach  delay  offset    disp

~10.10.194.165    10.10.97.4       16  737d    64    0     1.0  44030.  16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

firewall(config)# show ntp association detail

10.10.194.165 configured, insane, invalid, stratum 16

ref ID 10.10.97.4, time ce921496.e041248d (19:53:42.875 EST Tue Oct 27 2009)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 1024

root delay 113.33 msec, root disp 69.96, reach 0, sync dist 222.290

delay 1.02 msec, offset 44030.2505 msec, dispersion 16000.00

precision 2**18, version 3

org time 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)

rcv time 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)

xmt time d25e6cb2.ff3852f9 (08:52:50.996 EST Fri Nov 4 2011)

filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00

filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00

filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

firewall(config)# show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

cfwprd1a(config)#

Thanks

Purple

NTP

Hi,

verify the clock on the firewall is not too far from the clock on the NTP server otherwise it will take ages to synchronize.

configure the clock as close as posible to real time( UTC) then wait a few secs or mins max for the synchronization to take place.

Alain.

Don't forget to rate helpful posts.
New Member

NTP

firewall#                   ping 10.10.194.165

        10.10.194.165 response received -- 0ms

        10.10.194.165 response received -- 0ms

        10.10.194.165 response received -- 0ms

So it is not far

New Member

NTP

Try using a router or some other device close in proximity, to rule out your current device as the suspect. I would do this first instead of spending anymore time troubleshooting the current scenario.

New Member

NTP

I have another firewall configured the same way in the same inside zone for NTP.

But that also is not syncronized.

Purple

NTP

Hi,

Did you try setting the clock as close as possible to real-time as proposed?

If it still fails can you capture packets on the ntp server to see if it gets the packets from inside interface of ASA?

You can also do a capture on ASA for this traffic

Alain.

Don't forget to rate helpful posts.
New Member

NTP

setting the clock would be like manual. How would NTP work?

Purple

NTP

Hi,

you first set the clock manually as close as possible as real time then your NTP syncing will be done and your clock will always be accurate .I f you want to sync a clock with NTP which has a time really far from ntp server then it will take ages to sync.

Alain.

Don't forget to rate helpful posts.
New Member

NTP

Hi,

I changed the NTP server to 10.10.194.226 and the clocks have synchronized.

But when I revert to 10.10.194.165 it becomes unsynchronized.

So what does this mean?

Does it mean that 10.10.194.165 is having the wrong clock or 10.10.194.165 is taking clock from 10.10.97.4

firewall(config)# show ntp association

      address         ref clock     st  when  poll reach  delay  offset    disp

~10.10.194.165    10.10.97.4       16  737d    64    0     1.0  44030.  16000.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Purple

NTP

Hi,

what are  these 2 adresses you are syncing to?

Alain

Don't forget to rate helpful posts.
Hall of Fame Super Silver

NTP

If NTP sync is successful to 10.10.194.226 but not successful to 10.10.194.165 it either indicates that there is a problem in communication for NTP to 10.10.194.165 or it means that there is some issue with NTP on that device.

In an earlier post in this thread you posted this output

firewall(config)# show ntp association

      address         ref clock     st  when  poll reach  delay  offset    disp

~10.10.194.165    10.10.97.4       16  737d    64    0     1.0  44030.  16000.

I believe that if the ref clock is non-zero that you are communicating NTP with the device. So there must be something about NTP on that device. We have asked before, and I will ask again - what kind of device is 10.10.194.165?

HTH

Rick

846
Views
0
Helpful
15
Replies