ASA5500 using Windows 7 computer as NTP server

IMIC3_support · ‎04-30-2012

I have an ASA5510 connected to a computer running Windows 7 (the NTP Server) on its "inside" interface.

Using the ASDM, I have configured the ASA5510 to use the Windows 7 as its NTP server (my architecture forces me to use a local machine as an NTP server):

-IP address: 192.0.99.1 (the ASA5510 has an IP address of 192.0.99.40)

-Interface: inside

-Key number: None

-Enable NTP authentication: no.

I have other Windows computers on the "inside" interface using the NTP Server, so NTP traffic is relayed without any problem. But somehow, the ASA5510 is not able to synchronize with the NTP Server.

I see the following log entry:

-Source IP: 192.0.99.1

-Source Port: 123

-Destination IP: 192.0.99.40

-Destination port: 65535

-Description: Teardown UDP connection 3905 for inside: 192.0.99.1/123 to identity: 192.0.99.40/65535 duration 0:02:01 bytes 96

so it seems like the ASA5510 sends a request to the NTP Server, but I am not sure whether the reply doesn't get processed correctly, or the connection stays open too long (my UDP connection timeout is the default, 2 minutes).

I had trouble getting SonicWALL NSA2400s to use Windows 7 devices as NTP servers. I had to get a firmware version where there was no MD5 authentication (which I think is OK in this case), and change a setting in the Windows registry (HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/W32Time/Config/AnnounceFlags: from 0xa to 0x5)

any insight is welcome.

Pedro

Marvin Rhoads · ‎05-01-2012

Have you tried sniffing the packets on your server?

I assume you've verified that there's no host firewall blocking the ASA NTP queries.

IMIC3_support · ‎05-01-2012

yes, I have tried sniffing

NTP requests are received from the ASA

NTP replies are sent by the NTP Server

I have also turned off the firewall on Windows (couldn't get my VPN to work otherwise).

IMIC3_support · ‎05-01-2012

I have turned on all ntp debugging, and run "show ntp status" and "show ntp assoc":

CCG-SHIP-FWL(config)# show debug
debug ntp adjust enabled at level 1
debug ntp authentication enabled at level 1
debug ntp events enabled at level 1
debug ntp packets enabled at level 1
debug ntp params enabled at level 1
debug ntp select enabled at level 1
debug ntp sync enabled at level 1
debug ntp validity enabled at level 1

CCG-SHIP-FWL(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (06:28:16.000 GMT Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec

CCG-SHIP-FWL(config)# show ntp assoc
address ref clock st when poll reach delay offset disp
~192.16.99.1 .LOCL. 1 380 1024 337 73.0 255671 71.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

CCG-SHIP-FWL(config)# NTP: xmit packet to 192.16.99.1:
leap 3, mode 3, version 3, stratum 0, ppoll 1024
rtdel 0000 (0.000), rtdsp 10400 (1015.625), refid 00000000 (0.0.0.0)
ref 00000000.00000000 (06:28:16.000 GMT Thu Feb 7 2036)
org d34ac42f.4609d99d (20:21:03.273 GMT Tue May 1 2012)
rec d34a6050.3598360c (13:14:56.209 GMT Tue May 1 2012)
xmt d34a6250.22e73ba2 (13:23:28.136 GMT Tue May 1 2012)

NTP: rcv packet from 192.16.99.1 to OWN_FWL_LAN_PORT on inside:
leap 0, mode 4, version 3, stratum 1, ppoll 1024
rtdel 0000 (0.000), rtdsp a0bf4 (10046.692), refid 4c4f434c (76.79.67.76)
ref d34abbb0.bb426e39 (19:44:48.731 GMT Tue May 1 2012)
org d34a6250.22e73ba2 (13:23:28.136 GMT Tue May 1 2012)
rec d34ac62f.3977adb6 (20:29:35.224 GMT Tue May 1 2012)
xmt d34ac62f.3977adb6 (20:29:35.224 GMT Tue May 1 2012)
inp d34a6250.233258a0 (13:23:28.137 GMT Tue May 1 2012)

NTP: nlist 0, allow 0, found 0, low 0.000000, high 0.000000

NTP: no select intersection

NTP: synchronization lost

IMIC3_support · ‎05-01-2012

me again...

I guess that the Windows implementation of NTP does not satisfy the ASA:

CCG-SHIP-FWL(config)# show ntp associations detail

192.16.99.1 configured, insane, invalid, stratum 1
ref ID .LOCL., time d34abbb0.b985b0ae (19:44:48.724 GMT Tue May 1 2012)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 0.00 msec, root disp 10058.53, reach 177, sync dist 10127.426
delay 1.05 msec, offset 25567133.8436 msec, dispersion 68.37
precision 2**6, version 3
org time d34aca2f.454c589e (20:46:39.270 GMT Tue May 1 2012)
rcv time d34a6650.232bb0aa (13:40:32.137 GMT Tue May 1 2012)
xmt time d34a6650.22e5d92e (13:40:32.136 GMT Tue May 1 2012)
filtdelay = 1.05 1.14 73.00 0.87 0.53 0.53 3.45 2.06
filtoffset = 2556713 2556708 2556710 2556704 2556704 2556704 2556704 2556702
filterror = 15.63 31.25 39.06 42.97 44.92 45.90 46.68 51.56

If anyone thinks that there is a solution to this (other than running a proper NTP server on my Windows computer), please let me know...

Marvin Rhoads · ‎05-01-2012

Perhaps the excessive offset (over seven hours) is giving it trouble. I recall there used to be some IOS issues along those lines.

I'd at least try setting the ASA time manually close to the actual time and then see if the sync happens.