Teach Cisco ASA to speak NTP
Time is precious, even more when you need accurate logging . Let's configure NTP time synchronization on our ASA 5510. Configs are pretty simple, but worth remembering a thing or two.
- ASA can not be NTP server as opposed to IOS.
- You can use prefer optional keyword with ntp server command but ... it works if you have multiple servers having "the same accuracy" by Cisco.com words. In people's language they mean the same stratum. If your Cisco ASA has 2 NTP servers configured - one of stratum 2 and other of stratum 3 , even if you put stratum 3 server as preferred the one of stratum 2 will be selected.
- Authentication is available but oprional. The only algorithm of choice is MD5.
- You can have multiple trusted keys at the same time, I guess they will be tried in turn (needs verification).
Ok then, let's configure it - NTP server is 153.6.3.3, use authentication, MD5.
TokyoASA1(config)#ntp authentication-key 1 md5 CISCO
TokyoASA1(config)#ntp trusted-key 1
TokyoASA1(config)#ntp server 153.6.3.3 ?
key Configure peer authentication key
prefer Prefer this peer when possible
source Interface for source address
TokyoASA1(config)#ntp server 153.6.3.3 key 1
TokyoASA1(config)#ntp authenticate
**Debug**:
TokyoASA1#**debug ntp ?**
adjust NTP clock adjustments
authentication NTP authentication
events NTP events
loopfilter NTP loop filter
packets NTP packets
params NTP clock parameters
select NTP clock selection
sync NTP clock synchronization
validity NTP peer clock validity
**Verification**:
TokyoASA1#**sh ntp stat**
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cfa3cae4.3dd6a89e (15:40:20.241 UTC Sun Aug 23 2010)
clock offset is -377969342.9594 msec, root delay is 2.04 msec
root dispersion is 15262547.68 msec, peer dispersion is 16000.00 msec
TokyoASA1# **sh ntp ass**
address ref clock st when poll reach delay offset disp
~153.6.3.3 .LOCL. 1 26 64 0 2.0 -37796 16000.
- master (synced), # master (unsynced), + selected, - candidate, ~ configured
Some debug output comes next :
TokyoASA1# NTP: Authentication key 1
NTP: 153.6.3.3 reachable
NTP: sync change
NTP: peer stratum change
TokyoASA1#**sh ntp stat**
Clock is synchronized, stratum 2, reference is 153.6.3.3
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cf9e06b2.e6239822 (06:41:54.898 UTC Wed May 19 2010)
clock offset is -2.9681 msec, root delay is 1.95 msec
root dispersion is 21.58 msec, peer dispersion is 18.57 msec
```
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.