Cisco ASA 5510 version 7.1(2) Kerberos Clock error

OK, here is the issue. We are runnning a Cisco 5510 ASA Version 7.1(2). The VPN CLient was working correctly until the Network engineer start updating the MS2003 AD with service pack 1 and DST patches. Now the clients can't connect and I am getting an Error on the ASA of "113020: Kerberos error?: Clock Skew with server greater than 300 seconds" The Clock on the ASA matches with the servers in the AD to the second....

The Date and Time between the ASA 5510 and the Domain COntrollers are correct....but the clients can't connect....

LVL 4
avatechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
Here is a link to what I found on that error message:

http://www.cisco.com/en/US/products/ps6120/products_system_message_guide_chapter09186a008055fd2b.html#wp3153583

The recommended action is to

"Synchronize the clocks on the security appliance and the Kerberos server."

However, you say you've already done this.  Have you rebooted the ASA since the DST updates took place?  Does the timezone on the ASA match the Kerberos server?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
avatechAuthor Commented:
Yes, that is the weird part....The date, month, year, timezone, and clock match exactly between the ASA and the Domain Controllers....I have rebotted the ASA twice....still searching. I have even eabled NTp on the ASA, and the NTP is the Domain contoller providing time for the domain, P.C.'s.

It worked saturday at night at midnight, and once they started the Service pack upgrades and installation of the DST MS patches, BAm....VPn is done...
0
batry_boyCommented:
I would say that it's time to try upgrading to the 7.2(2) version of the ASA code...do you have access to the updated code?q
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

avatechAuthor Commented:
dont you need a CCO login with Cisco for the Upgrade? I dont have the CCO login....but I do have a smartnet agreement with this device, I may ahve to dig out the invoice....
0
batry_boyCommented:
Yes, you will need a CCO login to download the latest code.  If you have an active SmartNet contract on the ASA then you are most certainly entitled to having a login with download rights.  If you never registered your SmartNet with the device, then you probably were not issued an account.  They will want your ASA serial number which can be obtained by issuing a "show version" command from the CLI.  You will also need your invoice...
0
avatechAuthor Commented:
Very weird problem. Thanks for all the responses, Once I find a solution I will post it. I am going to contact Cisco today and activate the smartnet agreement..

Thanks
0
avatechAuthor Commented:
Thanks for your help.  Of all the frantic things not to check was issuing the reload after setting the time manually and changing the time zone from command line.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.