Teach Cisco ASA to speak NTP

Time is precious, even more when you need accurate logging . Let's configure NTP time synchronization on our ASA 5510. Configs are pretty simple, but worth remembering a thing or two.

  • ASA can not be NTP server as opposed to IOS.
  • You can use prefer optional keyword with ntp server command but ... it works if you have multiple servers having "the same accuracy" by Cisco.com words. In people's language they mean the same stratum. If your Cisco ASA has 2 NTP servers configured - one of stratum 2 and other of stratum 3 , even if you put stratum 3 server as preferred the one of stratum 2 will be selected.
  • Authentication is available but oprional. The only algorithm of choice is MD5.
  • You can have multiple trusted keys at the same time, I guess they will be tried in turn (needs verification).

Ok then, let's configure it - NTP server is, use authentication, MD5.

TokyoASA1(config)#ntp authentication-key 1 md5 CISCO
TokyoASA1(config)#ntp trusted-key 1
TokyoASA1(config)#ntp server ?

  key     Configure peer authentication key   
  prefer  Prefer this peer when possible   
  source  Interface for source address   

TokyoASA1(config)#ntp server key 1
TokyoASA1(config)#ntp authenticate


TokyoASA1#**debug ntp ?**

adjust NTP clock adjustments
authentication NTP authentication
events NTP events
loopfilter NTP loop filter
packets NTP packets
params NTP clock parameters
select NTP clock selection
sync NTP clock synchronization
validity NTP peer clock validity

TokyoASA1#**sh ntp stat** 

Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cfa3cae4.3dd6a89e (15:40:20.241 UTC Sun Aug 23 2010)
clock offset is -377969342.9594 msec, root delay is 2.04 msec
root dispersion is 15262547.68 msec, peer dispersion is 16000.00 msec

TokyoASA1# **sh ntp ass**
 address         ref clock     st  when  poll reach  delay  offset    disp

~ .LOCL. 1 26 64 0 2.0 -37796 16000.

  • master (synced), # master (unsynced), + selected, - candidate, ~ configured
Some debug output comes next :   

TokyoASA1# NTP: Authentication key 1
NTP: reachable
NTP: sync change
NTP: peer stratum change

TokyoASA1#**sh ntp stat** 

Clock is synchronized, stratum 2, reference is
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cf9e06b2.e6239822 (06:41:54.898 UTC Wed May 19 2010)
clock offset is -2.9681 msec, root delay is 1.95 msec
root dispersion is 21.58 msec, peer dispersion is 18.57 msec ```