asa5505 how to ntp sync external md5 clock

hi this is the website I have been looking at:  


i was advised but given as an example the following address: in order to sync via my asa5505 which is now successful but now I wish to configure for authentication as below:

- ive configured the following via my asa5505 asdm ver 7.1 and ive currently added the following but it shows that ntp has changed from synchronized to now unsynchronized.

- interface: outside
- preferred - yes
- key: no 1
- key value: 23 for example
- trusted key: yes

asa config shows:

ntp authentication-key 1 md5
ntp authenticate
ntp trusted-key 1ntp server key 1 source outside prefer
my asa now shows: "outside: authentication failed for packet from

question 1.  how do I resolve my issue  ?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Received NTP packet failed the authentication check. Possible errors: authentication, key number or value on packet does not match to your settings. Configuration itself looks OK (if you have key configured in #ntp authentication-key 1 md5 <key>).
Make sure that both the ASA and the NTP server are set to use authentication, and that both use the same key number and value.

ASA 8.3 and Later: NTP with and without an IPsec Tunnel Configuration Example
ASA - Setting the Date and Time Using an NTP Server
mikey250Author Commented:
hi that aithentication config was only on my asa..!! It was random to see if the authentication would pass or fail.
mikey250Author Commented:
my asa currently has no other authentication co figured..!
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Not sure what you suggest here.
You can't random configure authentication. If ntp server don't use authentication, or parameters do not match sure synchronization will fail. If ASA previously  was synchronized with ntp server just remove pieces of configuration that you configured lately.
To remove configured just use no in front of command example:
no ntp authenticate
mikey250Author Commented:
hi I was given by another expert the following external ntp:

- - - so I used it to confirm I could ntp sync my asa..which is successful..

-  as i currently cannot ping - even though i could before i cannot confirm if this belongs to

question 1.  if the above is correct i am not sure how to go about locating the correct authentication details from the external ntp in order to repeat this on my asa ?
Someone ( in this case ntp server owners) need to provide you with authentication details. Otherwise it will fail. That's why they call it authentication. If traffic is not passing authentication it will be dropped.
What would be purpose of authentication if whatever password or key number you configure - it always passes authentication. What would be difference between authenticated and unauthenticated session?
mikey250Author Commented:
yes i understand that's why i was looking at the below url in order to find out how to go about registering for an external ntp & authentication details for me to use  ?

the external ntp that i was given was only to allow me to test that i can get ntp sync via my asa....ok all good
mikey250Author Commented:
I have never gone about getting an external ntp to use permanently as I assumed it is free if I use from the below site but thought I would have to register or something.
mikey250Author Commented:
hi so i gather my understanding of how to get an external ntp config is incorrect..which would make sense i suppose ?
mikey250Author Commented:
after reading further of the following:   - it appears that due to the frequent change of ntp servers that authentication is not currently used so I can ignore this part.

I assume therefore the following:

- isp - contact my isp for their time server details
- purchase my own time server

after reading also the below specific link i came up with the below:


I created a file called (ntp.conf) and within that I have added:
NTP Pool Time Servers uses DNS round robin to make a random selection from a pool of time servers who have volunteered to be in the pool. This is usually good enough for end-users. The minimal ntpd configuration file (e.g. /etc/ntpd.conf) for using is:

qns1.  how do i now use this for the below ntp list: driftfile /var/lib/ntp/ntp.drift  ?

- server
- server
- server
- server

ntp pool time servers: uses dns round robin to make a random selection from a pool of time servers who have volunteered to be in the pool.  this is usually good enough for end-users.  the minimal ntpd configuration file (e.g. /etc/ntpd.conf) for using is:
driftfile /var/lib/ntp/ntp.drift

driftfile /var/lib/ntp/ntp.drift
mikey250Author Commented:
note:  ive obviously got to create or install some program  for my ntp.conf to work, although not sure what 'ntp.drift' is  ...!!

if i was using a windows server then i could use the regedit or timeserver via the tasbar clock
Gary PattersonVP Technology / Senior Consultant Commented:
FIrst, if your ISP offers a time server, use it.  Stop now, contact them, and ask.

If not, then you probably want to use a public time server unless you have very critical time accuracy needs - then you should look at a hardware solution that gets time from GPS.  Most people and companies don't need that, and if you do, you probably know that you do.

Round robin DNS means that they change the IP address associated with pool.ntp,org frequently.  So if I ping it from one machine, I get:, and from another I get  These time servers are volunteers.  They offer to provide ntp services for free.  Some of them are run by ISPs, some by governments, some by schools.

To be fair, you don't want to have millions of devices configured to just pick out one address and use it all the time.  That's the idea behind using round robin DNS - it spreads the load around.

So if your ISP offers NTP, use that.  If not, pick a public NTP server and use it.  But just use it for one device in your network, for example your ASA.  Then let your ASA provide time services to all the rest of your network devices.  That way you minimize the amount of traffic you send to the public NTP server you chose.

I've seen time services implemented the other way, too:  configure your Windows domain controller or Unix DNS server to get time from (or from Microsoft time servers, or the public server of your choice), and then have ASA use your internal server as its time source.

driftfile is for Linux.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
driftfile - Linux ok.

isp - I will find out if they will provide me with those details

if I wish to make my asa the master ive just changed the following:

ntp server source inside prefer (this is just my internal interface for the lan)
ntp server source inside

sh ntp assocations - shows both as configured but the shows * master.. why  ?
mikey250Author Commented:
asa:  sh ntp status - stills shows as synchronized
Gary PattersonVP Technology / Senior Consultant Commented:
Because is the address of an actual ntp server, and is not.

"ntp server" command is used to specify the address if one or more ntp servers that our ASA can query for time updates.  ASA queries them all, and then picks as "master" the most accurate one.  

ntp server
ntp server
ntp server

Says "Check the time on each of these 3 NTP servers, pick the most accurate one as master, and sync the ASA clock based on the time received from that master ntp server.

Here is a nice, basic explanation:

I don't think ASA can be configured as an NTP server, itself.  I used it as an example before without really thinking about it:  An IOS router can run both functions (ntp client and ntp server), but I don't think ASA can.  Instead, configure your Windows domain controller to get time updates from an outside source, and your domain clients will automatically synchronize with your Windows server.  You can
mikey250Author Commented:
question 1. currently im not running a dc because there are environments that dont require a server so my point was how do i set an ntp master if my asa cannot be one & my isp does not use an external ntp ?
Gary PattersonVP Technology / Senior Consultant Commented:
Perhaps it would help if you just spelled out what it is you are tying to do.  

Short answer is, pick a system that you want to use as your time server, configure it, and point your other systems to it.  

We usually set up one time server per physical location.  We use the router/security router if possible, and the Windows DC in most environments otherwise.  I've set up NTP or SNTP on Cisco IOS routers, Windows, Linux and other *nix, even IBM i.  

So you have lots of options.

One note, if your NTP requests have to pass your firewall, and you have an outbound access list, you'll probably need to add NTP (udp port 123) to the outbound ACL - something like this:

access-list outbound extended permit udp any any eq 123
mikey250Author Commented:
sound advice overall.
Gary PattersonVP Technology / Senior Consultant Commented:
One last note:  any Windows server can be used as your time server.  It doesn't have to be a domain controller.  In a Windows domain environment, however, Windows domain clients and domain servers will sync time with the domain controllers by default.
mikey250Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.