Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't get IPS Sensor to communicate with NTP server

Hi Experts,

I've been trying to get my IPS Sensor which is running on my ASA 5512X, every time I try to get the Sensor to get time from my NTP server, it fails with an error message "errUnacceptableValue - Cannot connect to NTP server or NTP server is not running"

I'm connecting to my IPS module via the management interface which is 192.168.100.0/24, my inside network where the NTP server is, is on the network address 192.168.1.0/24

The Cisco Router which is serving as a NTP server is an 800 series, below is its configuration...

ntp authentication-key 330 md5 047804081B244F603D29 7

ntp trusted-key 330

ntp source Vlan3

ntp master 5

ntp server 202.22.158.31

I suspect that the sensor just can't reach the router because of my set up, but I though it would be able to communicate because of the backplane network, which as I understand it on the ASA 5512x incorporates all interfaces?... Confused.

Please help!!!!

Everyone's tags (2)
24 REPLIES

Can't get IPS Sensor to communicate with NTP server

I assume reachability is not a problem. I reckon the problem here is with the MD5 authentication enabled in your router (acting as NTP server). Can try disabling MD5 authentication and see what happens?

no ntp authentication-key 330 md5 047804081B244F603D29 7

no ntp trusted-key 330

HTH

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.
New Member

Can't get IPS Sensor to communicate with NTP server

Thanks for the quick response.

I suspect it may be a reachability issue as I can't even ping the 192.168.1.0 network when logged onto the IPS sensor. Access control list is set to allow this network.

Thoughts on why I can't even ping the inside network?

Can't get IPS Sensor to communicate with NTP server

Ok, then the issue is with your routing.

From you IPS perform a traceroute to NTP server's IP and then check where it stops.

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.
New Member

Can't get IPS Sensor to communicate with NTP server

The output is of no assistance.

1  * * *

2  * * *

3  * * *

4  * * *

At the moment I have only one virtual sensor set up VS0, this is applied to port channel 0/0

Can't get IPS Sensor to communicate with NTP server

Can you make sure your IPS has a default gateway configured.

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.
New Member

Can't get IPS Sensor to communicate with NTP server

This was where I was a little confused, the IPS network is set up on the Management interface, it has to be on this model, the default gateway on the management interface goes nowhere as it's just a management interface. What do I need to do?

New Member

Can't get IPS Sensor to communicate with NTP server

Ok, I've had a did into this and for the ASA 5512X, the time is set from the ASA itself. The Clock Set command is unavailable. The issue I have is my ASA clock is Synched with an NTP Server online, the time on my IPS is completely different.

Can't get IPS Sensor to communicate with NTP server

Clock set is only applicable for standalone sensor. The  ASA 5500-X IPS automatically synchronize  their clocks with the clock in the adaptive security appliance in which  they are installed. This is the default. Maybe it just takes time for the sensor to sync.

Can you check your ASA for denied NTP logs?

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.
New Member

Can't get IPS Sensor to communicate with NTP server

Thanks for your assistance with this, is there any way to force the sensor clock to synchronize with the ASA clock? It's been 24hrs and they're still over a minute apart. The gap between the two clocks has not changed. This will be my last question, I will be accepting your last answer as the correct one.

Can't get IPS Sensor to communicate with NTP server

Hello Paul,

AIP-SSM can automatically synchronize its clock with the clock in the ASA in which it is installed. This is the default.

Now you are saying is not synchronized or at least not properly

If you do a show clock detail you should see whether NTP is used or not

Now as the followin quote from Cisco says"

All IPS modules (IDSM-2, NM-CIDS, and AIP-SSM) synchronize their system clocks to the parent chassis clock (switch, router, or firewall) each time the module boots up and any time the parent chassis clock is set. The module clock and parent chassis clock tend to drift apart over time. The difference can be as much as several seconds per day. To avoid this problem, make sure that both the module clock and the parent clock are synchronized to an external NTP server. If only the module clock or only the parent chassis clock is synchronized to an NTP server, the time drift occurs. "

You will need to configure NTP for this to work:

Follow this:

Configuring the Sensor to Use an NTP Time Source

The sensor requires a consistent time source. We recommend that you use an NTP server. Use the following procedure to configure the sensor to use the NTP server as its time source.


Caution The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The sensor may work with other NTP servers, but is not tested or supported.



Note You must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. For more information, see Configuring a Cisco Router to be an NTP Server.


To configure the sensor to use an NTP server as its time source, follow these steps:


Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter configuration mode:

sensor# configure terminal

Step 3 Enter service host mode:

sensor(config)# service host

Step 4 Enter NTP configuration mode:

sensor(config-hos)# ntp-option enable

Step 5 Enter the NTP server IP address and key ID:

sensor(config-hos-ena)# ntp-servers ip_address key-id key_ID

The key ID is a number between 1 and 65535. This is the key ID that you already set up on the NTP server. See Step 3 of Configuring a Cisco Router to be an NTP Server.

Example:

sensor(config-hos-ena)# ntp-servers 10.16.0.0 key-id 100

Step 6 Enter the NTP server's key value:

sensor(config-hos-ena)# ntp-keys key_ID md5-key key_value

The key value is text (numeric or character). This is the key value that you already set up on the NTP server. See Step 3 of Configuring a Cisco Router to be an NTP Server.

Example:

sensor(config-hos-ena)# ntp-keys 100 md5-key attack

Step 7 Verify the NTP settings:

sensor(config-hos-ena)# show settings

   enabled

   -----------------------------------------------

      ntp-keys (min: 1, max: 1, current: 1)

      -----------------------------------------------

         key-id: 100

         -----------------------------------------------

            md5-key: attack

         -----------------------------------------------

      -----------------------------------------------

      ntp-servers (min: 1, max: 1, current: 1)

      -----------------------------------------------

         ip-address: 10.16.0.0

         key-id: 100

      -----------------------------------------------

-----------------------------------------------

sensor(config-hos-ena)# 

Step 8 Exit NTP configuration mode:

sensor(config-hos-ena)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]

Step 9 Press Enter to apply the changes or enter no to discard them.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Can't get IPS Sensor to communicate with NTP server

Hi Julio,

Thanks for your comments, I tried the NTP server route and had little luck, perhaps you've come across my error... see my original comment. I'm getting the error message....

"errUnacceptableValue - Cannot connect to NTP server or NTP server is not running"

I thought with the ASA 5512X - IPS_SSP the communication with the NTP server which is on my inside network for the ASA would be via the PortChannel 0/0 interface. I can't seem to ping the NTP server from the sensor. I think this is where that comes unstuck.

I've read that with this model of ASA and the IPS software sensor that the time is supposed to be taken from the ASA which is connected to a NTP server.

Cheers,

Paul

New Member

Can't get IPS Sensor to communicate with NTP server

can you post output from "show module ips detail" ?

New Member

Can't get IPS Sensor to communicate with NTP server

Hi Arsen,

As requested...

Card Type:          ASA 5512-X IPS Security Services Processor

Model:              ASA5512-IPS

Hardware version:   N/A

Serial Number:      FCH1717JBNV

Firmware version:   N/A

Software version:   7.2(1)E4

MAC Address Range:  6c41.6a1f.03be to 6c41.6a1f.03be

App. name:          IPS

App. Status:        Up

App. Status Desc:   Normal Operation

App. version:       7.2(1)E4

Data Plane Status:  Up

Status:             Up

License:            IPS Module  Enabled  perpetual

Mgmt IP addr:       192.168.100.99

Mgmt Network mask:  255.255.255.0

Mgmt Gateway:       192.168.100.1

Mgmt Access List:   192.168.1.0/24

Mgmt Access List:   192.168.100.0/24

Mgmt web ports:     443

Mgmt TLS enabled:   true

Cheers,

Paul

New Member

Can't get IPS Sensor to communicate with NTP server

ok thanks

do u have ip address on the management interface ?

if you  do where does it connected ?

New Member

Can't get IPS Sensor to communicate with NTP server

The ip address on the management interface for the sensor is 192.168.100.99. This network is isolated and is not connected to any other network including the inside network.

New Member

Can't get IPS Sensor to communicate with NTP server

you need to make sure that you can ping you DG from IPS module, Does your IPS on the same network as your Inside interface ?

New Member

Can't get IPS Sensor to communicate with NTP server

When setting up the sensor, it would not let me use the network which was already set up for the inside network. I had to use the management interface to gain access to sensor, but I can't get the sensor to be on the same network as the inside.

New Member

Can't get IPS Sensor to communicate with NTP server

you can go under management interface do no ip address and make sure tha DG for IPS is you SVI ip address for that vlan

not the ip from management interface

New Member

Can't get IPS Sensor to communicate with NTP server

Could you please explain that a bit further please?

New Member

Re: Can't get IPS Sensor to communicate with NTP server

Sure.

example

ASA

inside 192.168.10.0/24

outside public ip

management 192.168.100.10/24

ips 192.168.100.15/24 (DG will be 192.168.100.1)

Layer 3 Switch

VLan 10 ip 192.168.10.1/24

vlan 100 ip 192.168.100.1/24

from asa u need to add a static rout pointing to the management(even if ips is inside the asa and going thru management interface ur ASA still need to know how to reach it)

ASA(conft) route inside 192.168.100.0 255.255.255.0 via 192.168.10.1

in most of the cases you might dont need assign ip address to the management interface cuz u cam manage it even from inside just dont forget to add http 192.168.10.0 255.255.255.0 inside

Just make sure that ur DG on IPS is not a ip address of management interface n most cases removing ip address form management interface will work just fine)

TEST: login to the IPS and ping 8.8.8.8

Hope this was helpfull. let me know if you need any assistance

New Member

Can't get IPS Sensor to communicate with NTP server

Hi Arsen,

Thanks for your input with this. I have to say, this is getting ridiculous, I don't understand why the time between the IPS and ASA just won't sync. For the ASA 5512X there is no hardware module, just software.

I couldn't add the static route, as the route to the management interface is already directly connected.

I tried to change the IPS address to a address on the inside network, it falls over and you have to fix it from the command line.

Currently the IPS and ASA clocks are about 40 seconds apart. Within the ASDM, the option to set the IPS clock is grayed out. The option to apply time to the sensor is also grayed out. Extermely frustrating.

If you view the status of the IPS sensor from the ASDM, its using the ASA clock, not the IPS!!!!!

Why is this so difficult, I think i need to talk to Cisco directly, this just shouldn't be this hard, it's setting a clock!!!

Thanks again for your help.

Paul

New Member

Re: Can't get IPS Sensor to communicate with NTP server

u welcome. u cant add route because u have ip assigned to ur management interface

New Member

Re: Can't get IPS Sensor to communicate with NTP server

Sorry, I don't understand. If I remove the management IP address, how do I then control the IPS sensor? It didn't seem to let me use the inside network.

New Member

Re: Can't get IPS Sensor to communicate with NTP server

Here is the trick. No ip address on management interface but leave the ips ip. U will be reaching the ips thru management port (in this case management port will become only for ips)

If u want to use inside ip on ips then u need to do no ip address an also no nameif  management

If interface marked as a management it will allow only management traffic if u unmark it it will become regular port :)

1335
Views
0
Helpful
24
Replies
CreatePlease to create content