asa5505 how to ntp sync external md5 clock

mikey250
mikey250 used Ask the Experts™
on
hi this is the website I have been looking at:  

- http://support.ntp.org/bin/view/Servers/WebHome

i was advised but given as an example the following address: 195.222.33.219 in order to sync via my asa5505 which is now successful but now I wish to configure for authentication as below:

- ive configured the following via my asa5505 asdm ver 7.1 and ive currently added the following but it shows that ntp has changed from synchronized to now unsynchronized.

- 195.222.33.219
- interface: outside
- preferred - yes
- key: no 1
- key value: 23 for example
- trusted key: yes

asa config shows:

ntp authentication-key 1 md5
ntp authenticate
ntp trusted-key 1ntp server 195.222.33.219 key 1 source outside prefer
my asa now shows: "outside: authentication failed for packet from 195.222.33.219

question 1.  how do I resolve my issue  ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Received NTP packet failed the authentication check. Possible errors: authentication, key number or value on packet does not match to your settings. Configuration itself looks OK (if you have key configured in #ntp authentication-key 1 md5 <key>).
Make sure that both the ASA and the NTP server are set to use authentication, and that both use the same key number and value.

Guides:
ASA 8.3 and Later: NTP with and without an IPsec Tunnel Configuration Example
or
ASA - Setting the Date and Time Using an NTP Server

Author

Commented:
hi that aithentication config was only on my asa..!! It was random to see if the authentication would pass or fail.

Author

Commented:
my asa currently has no other authentication co figured..!
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018
Commented:
Not sure what you suggest here.
You can't random configure authentication. If ntp server don't use authentication, or parameters do not match sure synchronization will fail. If ASA previously  was synchronized with ntp server just remove pieces of configuration that you configured lately.
To remove configured just use no in front of command example:
no ntp authenticate

Author

Commented:
hi I was given by another expert the following external ntp:

-  europe.pool.ntp.org - 195.222.33.219 - so I used it to confirm I could ntp sync my asa..which is successful..

-  as i currently cannot ping 195.222.33.219 - even though i could before i cannot confirm if this belongs to europe.pool.ntp.org

question 1.  if the above is correct i am not sure how to go about locating the correct authentication details from the external ntp in order to repeat this on my asa ?
Distinguished Expert 2018
Commented:
Someone ( in this case ntp server owners) need to provide you with authentication details. Otherwise it will fail. That's why they call it authentication. If traffic is not passing authentication it will be dropped.
What would be purpose of authentication if whatever password or key number you configure - it always passes authentication. What would be difference between authenticated and unauthenticated session?

Author

Commented:
yes i understand that's why i was looking at the below url in order to find out how to go about registering for an external ntp & authentication details for me to use  ?

http://support.ntp.org/bin/view/Servers/NTPPoolServers

the external ntp 195.222.33.219 that i was given was only to allow me to test that i can get ntp sync via my asa....ok all good

Author

Commented:
I have never gone about getting an external ntp to use permanently as I assumed it is free if I use from the below site but thought I would have to register or something.

http://support.ntp.org/bin/view/Servers/NTPPoolServers

Author

Commented:
hi so i gather my understanding of how to get an external ntp config is incorrect..which would make sense i suppose ?

Author

Commented:
after reading further of the following:  http://support.ntp.org/bin/view/Servers/NTPPoolServers   - it appears that due to the frequent change of ntp servers that authentication is not currently used so I can ignore this part.

I assume therefore the following:

- isp - contact my isp for their time server details
or
- purchase my own time server

after reading also the below specific link i came up with the below:

- http://support.ntp.org/bin/view/Servers/NTPPoolServers

I created a file called (ntp.conf) and within that I have added:
NTP Pool Time Servers

pool.ntp.org uses DNS round robin to make a random selection from a pool of time servers who have volunteered to be in the pool. This is usually good enough for end-users. The minimal ntpd configuration file (e.g. /etc/ntpd.conf) for using pool.ntp.org is:

qns1.  how do i now use this for the below ntp list: driftfile /var/lib/ntp/ntp.drift  ?

- server 0.europe.pool.ntp.org
- server 1.europe.pool.ntp.org
- server 2.europe.pool.ntp.org
- server 3.europe.pool.ntp.org

ntp pool time servers:

pool.ntp.org uses dns round robin to make a random selection from a pool of time servers who have volunteered to be in the pool.  this is usually good enough for end-users.  the minimal ntpd configuration file (e.g. /etc/ntpd.conf) for using pool.ntp.org is:
driftfile /var/lib/ntp/ntp.drift


driftfile /var/lib/ntp/ntp.drift

Author

Commented:
note:  ive obviously got to create or install some program  for my ntp.conf to work, although not sure what 'ntp.drift' is  ...!!

if i was using a windows server then i could use the regedit or timeserver via the tasbar clock
VP Technology / Senior Consultant
Commented:
FIrst, if your ISP offers a time server, use it.  Stop now, contact them, and ask.

If not, then you probably want to use a public time server unless you have very critical time accuracy needs - then you should look at a hardware solution that gets time from GPS.  Most people and companies don't need that, and if you do, you probably know that you do.

Round robin DNS means that they change the IP address associated with pool.ntp,org frequently.  So if I ping it from one machine, I get: 64.71.128.28, and from another I get 104.131.51.97.  These time servers are volunteers.  They offer to provide ntp services for free.  Some of them are run by ISPs, some by governments, some by schools.

To be fair, you don't want to have millions of devices configured to just pick out one address and use it all the time.  That's the idea behind using round robin DNS - it spreads the load around.

So if your ISP offers NTP, use that.  If not, pick a public NTP server and use it.  But just use it for one device in your network, for example your ASA.  Then let your ASA provide time services to all the rest of your network devices.  That way you minimize the amount of traffic you send to the public NTP server you chose.

I've seen time services implemented the other way, too:  configure your Windows domain controller or Unix DNS server to get time from pool.ntp.org (or from Microsoft time servers, or the public server of your choice), and then have ASA use your internal server as its time source.

driftfile is for Linux.

Author

Commented:
driftfile - Linux ok.

isp - I will find out if they will provide me with those details

if I wish to make my asa the master ive just changed the following:

ntp server 192.168.0.1 source inside prefer (this is just my internal interface for the lan)
ntp server 195.222.33.219 source inside

sh ntp assocations - shows both as configured but the 195.222.33.219 shows * master.. why  ?

Author

Commented:
asa:  sh ntp status - stills shows as synchronized
Gary PattersonVP Technology / Senior Consultant
Commented:
Because 195.222.33.219 is the address of an actual ntp server, and 192.168.0.1 is not.

"ntp server" command is used to specify the address if one or more ntp servers that our ASA can query for time updates.  ASA queries them all, and then picks as "master" the most accurate one.  

ntp server 1.1.1.1
ntp server 2.2.2.2
ntp server 3.3.3.3

Says "Check the time on each of these 3 NTP servers, pick the most accurate one as master, and sync the ASA clock based on the time received from that master ntp server.

Here is a nice, basic explanation:

https://www.youtube.com/watch?v=oP7ZcX4MtHw

I don't think ASA can be configured as an NTP server, itself.  I used it as an example before without really thinking about it:  An IOS router can run both functions (ntp client and ntp server), but I don't think ASA can.  Instead, configure your Windows domain controller to get time updates from an outside source, and your domain clients will automatically synchronize with your Windows server.  You can

Author

Commented:
question 1. currently im not running a dc because there are environments that dont require a server so my point was how do i set an ntp master if my asa cannot be one & my isp does not use an external ntp ?
Gary PattersonVP Technology / Senior Consultant
Commented:
Perhaps it would help if you just spelled out what it is you are tying to do.  

Short answer is, pick a system that you want to use as your time server, configure it, and point your other systems to it.  

We usually set up one time server per physical location.  We use the router/security router if possible, and the Windows DC in most environments otherwise.  I've set up NTP or SNTP on Cisco IOS routers, Windows, Linux and other *nix, even IBM i.  

So you have lots of options.

One note, if your NTP requests have to pass your firewall, and you have an outbound access list, you'll probably need to add NTP (udp port 123) to the outbound ACL - something like this:

access-list outbound extended permit udp any any eq 123

Author

Commented:
sound advice overall.
Gary PattersonVP Technology / Senior Consultant

Commented:
One last note:  any Windows server can be used as your time server.  It doesn't have to be a domain controller.  In a Windows domain environment, however, Windows domain clients and domain servers will sync time with the domain controllers by default.

Author

Commented:
ok.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial