Solved

Cisco ASA 5510 version 7.1(2) Kerberos Clock error

Posted on 2007-03-17
7
781 Views
Last Modified: 2009-03-21
OK, here is the issue. We are runnning a Cisco 5510 ASA Version 7.1(2). The VPN CLient was working correctly until the Network engineer start updating the MS2003 AD with service pack 1 and DST patches. Now the clients can't connect and I am getting an Error on the ASA of "113020: Kerberos error?: Clock Skew with server greater than 300 seconds" The Clock on the ASA matches with the servers in the AD to the second....

The Date and Time between the ASA 5510 and the Domain COntrollers are correct....but the clients can't connect....

0
Comment
Question by:avatech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18741671
Here is a link to what I found on that error message:

http://www.cisco.com/en/US/products/ps6120/products_system_message_guide_chapter09186a008055fd2b.html#wp3153583

The recommended action is to

"Synchronize the clocks on the security appliance and the Kerberos server."

However, you say you've already done this.  Have you rebooted the ASA since the DST updates took place?  Does the timezone on the ASA match the Kerberos server?
0
 
LVL 4

Author Comment

by:avatech
ID: 18742024
Yes, that is the weird part....The date, month, year, timezone, and clock match exactly between the ASA and the Domain Controllers....I have rebotted the ASA twice....still searching. I have even eabled NTp on the ASA, and the NTP is the Domain contoller providing time for the domain, P.C.'s.

It worked saturday at night at midnight, and once they started the Service pack upgrades and installation of the DST MS patches, BAm....VPn is done...
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18742152
I would say that it's time to try upgrading to the 7.2(2) version of the ASA code...do you have access to the updated code?q
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Author Comment

by:avatech
ID: 18742172
dont you need a CCO login with Cisco for the Upgrade? I dont have the CCO login....but I do have a smartnet agreement with this device, I may ahve to dig out the invoice....
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18742321
Yes, you will need a CCO login to download the latest code.  If you have an active SmartNet contract on the ASA then you are most certainly entitled to having a login with download rights.  If you never registered your SmartNet with the device, then you probably were not issued an account.  They will want your ASA serial number which can be obtained by issuing a "show version" command from the CLI.  You will also need your invoice...
0
 
LVL 4

Author Comment

by:avatech
ID: 18743309
Very weird problem. Thanks for all the responses, Once I find a solution I will post it. I am going to contact Cisco today and activate the smartnet agreement..

Thanks
0
 
LVL 4

Author Comment

by:avatech
ID: 18782833
Thanks for your help.  Of all the frantic things not to check was issuing the reload after setting the time manually and changing the time zone from command line.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telco & Point to Point Internet VPN 3 116
How to configure windows DNS (internal) forwarding to bind DNS (external) 3 45
IPSec Site to Site VPN Topology 6 67
VPN problems 4 65
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question