Skip to content

Teach ASA to speak NTP

Time is precious, even more when you need accurate logging to know when someone breaks into your systems. Let’s configure NTP time synchronization on our ASA 5510.
Configs are pretty simple, but worth remembering a thing or two.

  • ASA can not be NTP server as opposed to IOS.
  • You can use prefer optional keyword with ntp server command but … it works if you have multiple servers having “the same accuracy” by Cisco.com words. In people’s language they mean the same stratum. If your ASA has 2 servers – one of stratum 2 and other of stratum 3 , even if you put stratum 3 server as preferred the one of stratum 2 will be selected.
  • Authentication is available but oprional. The only algorithm of choice is MD5.
  • You can have multiple trusted keys at the same time, I guess they will be tried in turn (needs verification).

Ok then, back to CLI – NTP server is 153.6.3.3, use authentication, MD5.

TokyoASA1(config)# ntp authentication-key 1 md5 CISCO
TokyoASA1(config)# ntp trusted-key 1
TokyoASA1(config)# ntp server 153.6.3.3 ?
key Configure peer authentication key
prefer Prefer this peer when possible
source Interface for source address
<cr>
TokyoASA1(config)# ntp server 153.6.3.3 key 1
TokyoASA1(config)# ntp authenticate
TokyoASA1# debug ntp ?
adjust NTP clock adjustments
authentication NTP authentication
events NTP events
loopfilter NTP loop filter
packets NTP packets
params NTP clock parameters
select NTP clock selection
sync NTP clock synchronization
validity NTP peer clock validity
TokyoASA1# sh ntp stat
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cfa3cae4.3dd6a89e (15:40:20.241 UTC Sun Aug 23 2010)
clock offset is -377969342.9594 msec, root delay is 2.04 msec
root dispersion is 15262547.68 msec, peer dispersion is 16000.00 msec
TokyoASA1# sh ntp ass
address ref clock st when poll reach delay offset disp
~153.6.3.3 .LOCL. 1 26 64 0 2.0 -37796 16000.
* master (synced), # master (unsynced), + selected, – candidate, ~ configured

Some debug comes next :

TokyoASA1# NTP: Authentication key 1
NTP: 153.6.3.3 reachable
NTP: sync change
NTP: peer stratum change
TokyoASA1# sh ntp stat
Clock is synchronized, stratum 2, reference is 153.6.3.3
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cf9e06b2.e6239822 (06:41:54.898 UTC Wed May 19 2010)
clock offset is -2.9681 msec, root delay is 1.95 msec
root dispersion is 21.58 msec, peer dispersion is 18.57 msec

Posted in ASA/PIX Cisco, Cisco.

Tagged with , .

1 comment

By Yuri August 24, 2010

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Dhinesh says

    still it is not sync…..pls help?

    Allsec-ASA5510# show running-config ntp
    ntp authentication-key 1 md5 *****
    ntp authenticate
    ntp trusted-key 1
    ntp server 172.29.100.20 key 1
    Allsec-ASA5510# NTP: xmit packet to 172.29.100.20:
    leap 3, mode 3, version 3, stratum 0, ppoll 64
    rtdel 0000 (0.000), rtdsp 10400 (1015.625), refid 00000000 (0.0.0.0)
    ref 00000000.00000000 (06:28:16.000 GMT Thu Feb 7 2036)
    org 00000000.00000000 (06:28:16.000 GMT Thu Feb 7 2036)
    rec 00000000.00000000 (06:28:16.000 GMT Thu Feb 7 2036)
    xmt d2c7ab4a.a142df33 (09:47:54.629 GMT Mon Jan 23 2012)
    Authentication key 1

    January 23, 2012, 11:50 am



Some HTML is OK

or, reply to this post via trackback.

« »