cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2761
Views
0
Helpful
24
Replies

Can't get IPS Sensor to communicate with NTP server

paulthomson85
Level 1
Level 1

Hi Experts,

I've been trying to get my IPS Sensor which is running on my ASA 5512X, every time I try to get the Sensor to get time from my NTP server, it fails with an error message "errUnacceptableValue - Cannot connect to NTP server or NTP server is not running"

I'm connecting to my IPS module via the management interface which is 192.168.100.0/24, my inside network where the NTP server is, is on the network address 192.168.1.0/24

The Cisco Router which is serving as a NTP server is an 800 series, below is its configuration...

ntp authentication-key 330 md5 047804081B244F603D29 7

ntp trusted-key 330

ntp source Vlan3

ntp master 5

ntp server 202.22.158.31

I suspect that the sensor just can't reach the router because of my set up, but I though it would be able to communicate because of the backplane network, which as I understand it on the ASA 5512x incorporates all interfaces?... Confused.

Please help!!!!

24 Replies 24

Rejohn Cuares
Level 4
Level 4

I assume reachability is not a problem. I reckon the problem here is with the MD5 authentication enabled in your router (acting as NTP server). Can try disabling MD5 authentication and see what happens?

no ntp authentication-key 330 md5 047804081B244F603D29 7

no ntp trusted-key 330

HTH

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.

Thanks for the quick response.

I suspect it may be a reachability issue as I can't even ping the 192.168.1.0 network when logged onto the IPS sensor. Access control list is set to allow this network.

Thoughts on why I can't even ping the inside network?

Ok, then the issue is with your routing.

From you IPS perform a traceroute to NTP server's IP and then check where it stops.

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.

The output is of no assistance.

1  * * *

2  * * *

3  * * *

4  * * *

At the moment I have only one virtual sensor set up VS0, this is applied to port channel 0/0

Can you make sure your IPS has a default gateway configured.

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.

This was where I was a little confused, the IPS network is set up on the Management interface, it has to be on this model, the default gateway on the management interface goes nowhere as it's just a management interface. What do I need to do?

Ok, I've had a did into this and for the ASA 5512X, the time is set from the ASA itself. The Clock Set command is unavailable. The issue I have is my ASA clock is Synched with an NTP Server online, the time on my IPS is completely different.

Clock set is only applicable for standalone sensor. The  ASA 5500-X IPS automatically synchronize  their clocks with the clock in the adaptive security appliance in which  they are installed. This is the default. Maybe it just takes time for the sensor to sync.

Can you check your ASA for denied NTP logs?

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.

Thanks for your assistance with this, is there any way to force the sensor clock to synchronize with the ASA clock? It's been 24hrs and they're still over a minute apart. The gap between the two clocks has not changed. This will be my last question, I will be accepting your last answer as the correct one.

Hello Paul,

AIP-SSM can automatically synchronize its clock with the clock in the ASA in which it is installed. This is the default.

Now you are saying is not synchronized or at least not properly

If you do a show clock detail you should see whether NTP is used or not

Now as the followin quote from Cisco says"

All IPS modules (IDSM-2, NM-CIDS, and AIP-SSM) synchronize their system clocks to the parent chassis clock (switch, router, or firewall) each time the module boots up and any time the parent chassis clock is set. The module clock and parent chassis clock tend to drift apart over time. The difference can be as much as several seconds per day. To avoid this problem, make sure that both the module clock and the parent clock are synchronized to an external NTP server. If only the module clock or only the parent chassis clock is synchronized to an NTP server, the time drift occurs. "

You will need to configure NTP for this to work:

Follow this:

Configuring the Sensor to Use an NTP Time Source

The sensor requires a consistent time source. We recommend that you use an NTP server. Use the following procedure to configure the sensor to use the NTP server as its time source.


Caution The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The sensor may work with other NTP servers, but is not tested or supported.



Note You must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. For more information, see Configuring a Cisco Router to be an NTP Server.


To configure the sensor to use an NTP server as its time source, follow these steps:


Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter configuration mode:

sensor# configure terminal

Step 3 Enter service host mode:

sensor(config)# service host

Step 4 Enter NTP configuration mode:

sensor(config-hos)# ntp-option enable

Step 5 Enter the NTP server IP address and key ID:

sensor(config-hos-ena)# ntp-servers ip_address key-id key_ID

The key ID is a number between 1 and 65535. This is the key ID that you already set up on the NTP server. See Step 3 of Configuring a Cisco Router to be an NTP Server.

Example:

sensor(config-hos-ena)# ntp-servers 10.16.0.0 key-id 100

Step 6 Enter the NTP server's key value:

sensor(config-hos-ena)# ntp-keys key_ID md5-key key_value

The key value is text (numeric or character). This is the key value that you already set up on the NTP server. See Step 3 of Configuring a Cisco Router to be an NTP Server.

Example:

sensor(config-hos-ena)# ntp-keys 100 md5-key attack

Step 7 Verify the NTP settings:

sensor(config-hos-ena)# show settings

   enabled

   -----------------------------------------------

      ntp-keys (min: 1, max: 1, current: 1)

      -----------------------------------------------

         key-id: 100

         -----------------------------------------------

            md5-key: attack

         -----------------------------------------------

      -----------------------------------------------

      ntp-servers (min: 1, max: 1, current: 1)

      -----------------------------------------------

         ip-address: 10.16.0.0

         key-id: 100

      -----------------------------------------------

-----------------------------------------------

sensor(config-hos-ena)# 

Step 8 Exit NTP configuration mode:

sensor(config-hos-ena)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]

Step 9 Press Enter to apply the changes or enter no to discard them.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thanks for your comments, I tried the NTP server route and had little luck, perhaps you've come across my error... see my original comment. I'm getting the error message....

"errUnacceptableValue - Cannot connect to NTP server or NTP server is not running"

I thought with the ASA 5512X - IPS_SSP the communication with the NTP server which is on my inside network for the ASA would be via the PortChannel 0/0 interface. I can't seem to ping the NTP server from the sensor. I think this is where that comes unstuck.

I've read that with this model of ASA and the IPS software sensor that the time is supposed to be taken from the ASA which is connected to a NTP server.

Cheers,

Paul

Arsen Gharibyan
Level 1
Level 1

can you post output from "show module ips detail" ?

Hi Arsen,

As requested...

Card Type:          ASA 5512-X IPS Security Services Processor

Model:              ASA5512-IPS

Hardware version:   N/A

Serial Number:      FCH1717JBNV

Firmware version:   N/A

Software version:   7.2(1)E4

MAC Address Range:  6c41.6a1f.03be to 6c41.6a1f.03be

App. name:          IPS

App. Status:        Up

App. Status Desc:   Normal Operation

App. version:       7.2(1)E4

Data Plane Status:  Up

Status:             Up

License:            IPS Module  Enabled  perpetual

Mgmt IP addr:       192.168.100.99

Mgmt Network mask:  255.255.255.0

Mgmt Gateway:       192.168.100.1

Mgmt Access List:   192.168.1.0/24

Mgmt Access List:   192.168.100.0/24

Mgmt web ports:     443

Mgmt TLS enabled:   true

Cheers,

Paul

ok thanks

do u have ip address on the management interface ?

if you  do where does it connected ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: