To ensure precise synchonization of the ASA's clock to the rest of your network, you should configure the ASA to obtain time information from a trusted NTP server. To do so, navigate to Configuration > Device Setup > System Time > NTP. The NTP settings window opens. To define a new NTP time source, click Add to open the Add NTP Server Configuration dialog box. Define the IP address of the new NTP time source, the ASA interface through which this NTP server can be reached, whether this is a preferred time source, and any information relevant to the use of authenticated NTP communication.
You can configure additional NTP servers (a minimum of three associations is recommended for optimal accuracy and redundancy) and can only enter IP addresses when defining NTP servers, not logical names (FQDN) to be resolved to IP addresses via DNS. Note that an ASA can act only as an NTP client, not as an NTP server. Using an NTP server reachable through the outside interface, and not using authentication, is inherently subject to potential compromise, so it should be done only as a backup to an internal NTP server, if available.
The ASA will choose the NTP server with the lowest stratum number and synchronize to that server. A stratum number indicates the distance from the reference clock, so a lower stratum number implies that a server is more reliable than others with a higher stratum number. If several servers have similar accuracy, the preferred server is used.
ciscoasa# show clock detail
15:58:33.269 UTC Tue Jul 2 2013
Time source is hardware calendar
ciscoasa# ping sg.pool.ntp.org
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.123.48.219, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/128/150 ms
ciscoasa# configure terminal
ciscoasa(config)# ntp server 203.123.48.219 source outside prefer
ciscoasa(config)# show clock detail
16:01:36.546 UTC Tue Jul 2 2013
Time source is NTP
ciscoasa(config)# show ntp association
address ref clock st when poll reach delay offset disp
*~203.123.48.219 118.143.17.82 2 6 64 1 76.6 39.08 15890.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
ciscoasa(config)# show ntp association detail
203.123.48.219 configured, our_master, sane, valid, stratum 2
ref ID 118.143.17.82, time d57d7291.6422c85d (15:38:57.391 UTC Tue Jul 2 2013)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 42.53 msec, root disp 63.16, reach 1, sync dist 16013.336
delay 76.58 msec, offset 39.0848 msec, dispersion 15890.63
precision 2**21, version 3
org time d57d77fc.da7ce622 (16:02:04.853 UTC Tue Jul 2 2013)
rcv time d57d77fc.da494f2d (16:02:04.852 UTC Tue Jul 2 2013)
xmt time d57d77fc.c6ac08bd (16:02:04.776 UTC Tue Jul 2 2013)
filtdelay = 76.58 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 39.08 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 15.63 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
Thanks a lot, this clarified a question I had about not being able to use FQDNs for ASA NTP.
ReplyDelete