Solved: FTDv managed by FMC ntp issue

mhdganji110 · ‎06-30-2022

Hi,

I'm using FTDv 7 managed by FMC v7. Logging issues are there and there is an error about FTD not synced.

So, first step seems to solve the ntp issues.

FMC GUI is there for ntp which I set and it seems to be ok, but I cannot find where is the ntp settings for FTD device (I go to FMC, devices, choose the FTD device, ... nothing there)

Also when I SSH to FTD and run ntpd -u ntpserver, it says operation not permitted. I set the time exactly as the same with FMC (with date -s command and copy the same output of date command on SSH session of FMC) but the problem is still there)

Any idea?

Regards

mhdganji110 · ‎07-01-2022

I managed to solve the problem in this way

Went to FMC and my created FTD policy and chose a timezone (it was blank). Applied it to my FTD and all is ok now.

View solution in original post

balaji.bandi · ‎06-30-2022

check below document help you :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215468-configure-verify-and-troubleshoot-netwo.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mhdganji110 · ‎06-30-2022

Already checked it. It is not helping about Virtual FTD managed by FMC (virtual). It's all about physical ones, FXOS, etc.

mhdganji110 · ‎06-30-2022

Let me add that under device, platform setting, I created a FTD policy, added my FTD, set the same NTP server as FMC under the settings and saved and applied the policy to the device. But, the error is still there.

While the date output is exactly the same on FTD and FMC, it syas there is a 54000 seconds offset between the FTD device and its manager

Marvin Rhoads · ‎07-01-2022

It's not recommended to use FMC as the NTP server for managed devices. Use a reliable time server instead.

I use time.nist.gov for US-based customers (along with a valid DNS setup and making sure outbound ntp traffic is allowed through the firewall).

mhdganji110 · ‎07-01-2022

I didn't do that. Both were aimed to use an internal ntp server in the network

CiscoPurpleBelt · ‎04-25-2024

I noticed 127.0.0.2 is shown to be used on our FTD that is managed via FMC. How can I fix this - the FMC is using and configured for a nist NTP server? Not too familiar with FIrepower in comparison to ASA.

MHM Cisco World · ‎04-25-2024

Make new post it better

MHM

Marvin Rhoads · ‎04-25-2024

@CiscoPurpleBelt for an FMC-managed FTD appliance, use the platform settings. Devices > Platforms Settings and then edit the settings under the Time Synchronization section to set the clock via NTP from a valid reachable time server. Deploy the change and watch for it to update on FTD - it will take a few minutes to sync and decide to take the NTP server's assertion as valid.

CiscoPurpleBelt · ‎04-26-2024

Hi Marvin. It is already set for via NTP from Mgmt Center. There is not reachability issues or anything so not sure why it is not listed as the server in "show ntp"?

Marvin Rhoads · ‎04-26-2024

@CiscoPurpleBelt if your FMC is an FMCv, they don't reliably serve up NTP. That's why we configure the managed devices to go directly to an NTP server.

CiscoPurpleBelt · ‎04-26-2024

No it is a physical FMC. I know its better to peer directly to a NTP server but for now using this.

CiscoPurpleBelt · ‎05-02-2024

Hi Marvin, although it states:

NTP Server : 127.0.0.2
Status : Being Used
Offset : -0.582 (milliseconds)
Last Update : 13 (seconds)

The time is still correct:

> show time
UTC - Thu May 2 14:43:14 UTC 2024
Localtime - Thu May 02 10:43:15 EDT 2024

Shouldn't it not have accurate time?

Marvin Rhoads · ‎05-02-2024

Time can be accurate without NTP. We use NTP to make it consistently accurate across many devices to ensure that time-dependent services, logs etc. are all in good working order and presenting accurate timestamps.

CiscoPurpleBelt · ‎05-03-2024

Right but thing is the FTD has been offline recently and clock was never manually hard coded or anything. Where would it get its accurate time from?