Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Set clock on AIP-SSC-5

How are you supposed to set the clock on the AIP-SSC-5 module?

There doesn't seem to be any way to set the clock manually, you have to use NTP. The problem is that the module refuses to set the clock if the time it gets through NTP is more than 1000 seconds off. An attempt to do so results in the following error message:

"time correction of 97513010 seconds exceeds sanity limit (1000); set clock manually to the correct UTC time."

The manual says that the module is supposed to sync its time with the appliance when it boots up but I've restart both the module and the appliance several time to no effect.

This is driving me crazy. Surely there has to be some way to set the clock?

/Mats

Everyone's tags (2)
7 REPLIES
Super Bronze

Set clock on AIP-SSC-5

There is no way to manually set the clock on the module. The module either gets its time from the ASA, or you can configure NTP on it.

However, pls kindly be advised that time can drift apart if you use the ASA as its time source, so it is highly recommended that you use NTP on the AIP module.

Here is the information on setting up time on AIP module for your reference:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_setup.html#wp1161015

New Member

Re: Set clock on AIP-SSC-5

Unfortunately none of the documented methods seem to work.

Rebooting the ASA doesn't update the clock on the AIP.

Rebooting the AIP doesn't update the clock on the AIP.

Manually setting the clock on the ASA doesn't update the clock on the AIP.

Synching the ASA clock using NTP doesn't update the clock on the AIP.

Synching the clock on the AIP using NTP doesn't work since the time difference is too large.

The ASA clock is correct and it syncs using NTP but whatever I do the AIP refuses to set its clock. The clock is about 3 years behind.

We're currently trying using a service account to get access to the Linux prompt on the AIP, maybe we can set the clock manually that way.

Message was edited by: Mats Bredell

Cisco Employee

Set clock on AIP-SSC-5

Have you double check the GMT on the AIP? Maybe it is the same time but on different timezone.

Mike

Mike
New Member

Set clock on AIP-SSC-5

As I stated above there's a three year time difference. The ASA has the correct time, the AIP thinks it's June 2009.

Cisco Employee

Set clock on AIP-SSC-5

Have you try to reset it?

Mike Rojas

Security Technical Lead

Mike
New Member

Set clock on AIP-SSC-5

Now we've managed to solve it. This is what we had to do:

1. Enable NTP sync on the AIP.

2. Login to the unix shell using a service account.

3. Stop the NTP server in unix.

4. Set the clock manually using the date command in unix.

5. Start the NTP server in unix.

6. Logout from the unix shell.

This will make the clock run correctly in the AIP. It will still run correctly after a reload but if the ASA loses power the procedure will probably have to be repeated.

I don't know what's wrong with our AIP but the clock certainly doesn't behave as documented.

Super Bronze

Set clock on AIP-SSC-5

Thanks for sharing the steps.

Definitely sounds like a bug to me.

655
Views
5
Helpful
7
Replies