08-19-2010 07:43 AM - edited 03-11-2019 11:28 AM
Hello all,
I have a secondary ASA 5540 (both running 7.2(2)) that is not synchronizing with the NTP server. The primary is working fine. We only have one NTP server setup, which I will address, but the I'm at a loss since the primary is working fine.
show run | i ntp
ntp server 132.163.4.101 source LUXATLASA01e prefer
show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
show ntp associations
address ref clock st when poll reach delay offset disp
~132.163.4.101 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Any suggestions?
- Jeff S.
08-19-2010 11:01 AM
Are you able to ping the NTP server from standby firewall. Can you grab the output of
debug ntp events
debug ntp packet
08-19-2010 12:03 PM
I can't ping the IP from either, but I can from my desktop from the inside, so likely pings are being dropped that originate from the ASA. There are no drops in the log for NTP...
Here's the output from the primary. I had to set the clock manually to get it to do an update:
router# clock set 14:55:00 19 Aug 2010
router# NTP: peer stratum change
router# show ntp associations
address ref clock st when poll reach delay offset disp
~132.163.4.101 .ACTS. 1 453 64 0 41.8 -0.09 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
router# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 100.0089 Hz, precision is 2**6
reference time is d017fb83.da869920 (14:50:43.853 DST Thu Aug 19 2010)
clock offset is -0.0871 msec, root delay is 41.82 msec
root dispersion is 15.91 msec, peer dispersion is 15.82 msec
router# show run | i ntp
ntp server 132.163.4.101 source LUXATLASA01e prefer
router# NTP: xmit packet to 132.163.4.101:
leap 3, mode 3, version 3, stratum 0, ppoll 64
rtdel 0ab5 (41.824), rtdsp 0813 (31.540), refid 84a30465 (132.163.4.101)
ref d017fb83.da869920 (14:50:43.853 DST Thu Aug 19 2010)
org 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
rec 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
xmt d017fcc3.f6db0ee0 (14:56:03.964 DST Thu Aug 19 2010)
NTP: rcv packet from 132.163.4.101 to 65.196.178.243 on LUXATLASA01e:
leap 0, mode 4, version 3, stratum 1, ppoll 64
rtdel 0000 (0.000), rtdsp 0000 (0.000), refid 41435453 (65.67.84.83)
ref d017fd51.c915ecb7 (14:58:25.785 DST Thu Aug 19 2010)
org d017fcc3.f6db0ee0 (14:56:03.964 DST Thu Aug 19 2010)
rec d017fd70.c9ea045e (14:58:56.788 DST Thu Aug 19 2010)
xmt d017fd70.c9eb18e8 (14:58:56.788 DST Thu Aug 19 2010)
inp d017fcc4.018bcf43 (14:56:04.006 DST Thu Aug 19 2010)
NTP: 132.163.4.101 reachable
NTP: peer stratum change
NTP: clock reset
Here's the debug from the secondary:
NTP: xmit packet to 132.163.4.101:
leap 3, mode 3, version 3, stratum 0, ppoll 64
rtdel 0000 (0.000), rtdsp 10400 (1015.625), refid 00000000 (0.0.0.0)
ref 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
org 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
rec 00000000.00000000 (01:28:16.000 EST Thu Feb 7 2036)
xmt d017fd78.1faa7e87 (14:59:04.123 DST Thu Aug 19 2010)
Notice there's no receive packet. The same xmit packet above just keeps repeating...
Thx,
Jeff
08-19-2010 12:33 PM
Is your Router functioning as the NTP server? From the debugs it seems nothing is coming back from the server and I see only transmits. Can you attach the configuration of router and as well from ASAs.
08-19-2010 12:36 PM
Update: that IP (132.163.4.101) is a stratum 1 server (time-a.timefreq.bldrdoc.gov) with a restriction of up to 20 queries per hour from the same address. It may be possible, since both the primary and secondary ASA will have the same source address, that we're exceeding that mark. Also, we're allowing any client out on the NTP port instead of collapsing all queries to the ASA or an internal router. All of those queries will also be from the same ASA source address.
I plan to change the NTP server to three different stratum 2 servers with no restrictions and see if that corrects the issue. We're also working to collapse the NTP queries to an internal address. I'll post the results after the changes are made.
Thanks for the responses!
08-19-2010 12:42 PM
Did you configured the standby IP on the interface used for polling the NTP server. Active/standby uses different source addresses. Please send me the config of each device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide