Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Adaptive Security Appliance FAQ: Why does the ASA fail to sync with Windows server configured as an NTP server?

Document ID: 118053

Updated: Aug 19, 2014

Contributed by Raghunath Kulkarni and Magnus Mortenson, Cisco TAC Engineers.

   Print

Introduction

This document describes the reason why the ASA does not synchronize time with the Network Time Protocol (NTP) server, what causes the default dispersion value to be more than one second, and what can be done to resolve this problem.

Why does the ASA fail to sync with Windows server configured as an NTP server?

The Adaptive Security Appliance (ASA) does not sync time with Network Time Protocol (NTP) server when the NTP server sends a dispersion value of more than one second. This is the default dispersion value of a Microsoft Windows Server when used as an NTP server. How is this issue resolved?

NTP: rcv packet from 172.23.226.161 to 172.23.246.71 on management:
leap 0, mode 4, version 3, stratum 2, ppoll 64
rtdel 0800 (31.250), rtdsp ae343 (10887.741), refid C6976401 (198.151.100.1)

The ASA requires a dispersion value less than 1000 milliseconds (one second) in order to sync its clock via NTP. The Windows Server reports a dispersion value that is too high for the ASA to sync, so you must adjust the Windows Server in order to accomodate this requirement. You can do this when you perform a registry change on the server. Consult theseMicrosoft documents for more information: LocalClockDispersion Entry


If the Windows Server that operates as an NTP server is not also a domain controller (DC), the AnnounceFlags registry setting might need to be changed to 0x5 (0x01 + 0x04). Consult the following Microsoft document for more inforomation:
Config\AnnounceFlags Entry


Microsoft's implementation behaves differently than most NTP servers and might cause issues similar to the one described previously. The Microsoft Windows Server NTP implementation sends packets with a root dispersion value that is unusually large compared to some other NTP servers. This output is based off of debug ntp packet on an ASA that attempts to sync to an unadjusted Windows Server:

NTP: rcv packet from 172.16.1.3 to 172.16.1.1 on DMZ:
leap 0, mode 4, version 3, stratum 2, ppoll 64
rtdel 0800 (31.250), rtdsp 7dcc3 (7862.350), refid C6976401 (198.151.100.1)
ref ccd5ee4e.4cd51570 (22:23:58.300 EDT Mon Apr 24 2013)
org ccd5ee61.f71e22bd (22:24:17.965 EDT Mon Apr 24 2013)
rec ccd5ee61.f0ac1fae (22:24:17.940 EDT Mon Apr 24 2013)
xmt ccd5ee61.f0ac1fae (22:24:17.940 EDT Mon Apr 24 2013)
inp ccd5ee61.f8744957 (22:24:17.970 EDT Mon Apr 24 2013)
NTP: 172.16.1.3 reachable

 
The value that is of interest is: rtdsp 7dcc3 (7862.350).  The dispersion indicates the error relative to its reference source in milliseconds.  The ASA's implementation of NTP declares a time source as invalid if that root dispersion value in the packet is larger than 1,000.

Here is the debug output from a response recieved from an NTP server that synchronizes without issue. Notice that the root dispersion is much lower.

NTP: rcv packet from 172.18.108.15 to 172.18.254.61 on outside:
leap 0, mode 4, version 3, stratum 1, ppoll 64
rtdel 0000 (0.000), rtdsp 000f (0.229), refid C6976401 (198.151.100.1)
ref ccd5fc03.000becc0 (23:22:27.000 EDT Mon Apr 24 2013)
org ccd5fc09.7705ecf8 (23:22:33.464 EDT Mon Apr 24 2013)
rec ccd5fc09.778d15a1 (23:22:33.466 EDT Mon Apr 24 2013)
xmt ccd5fc09.778e1e93 (23:22:33.467 EDT Mon Apr 24 2013)
inp ccd5fc09.778eb534 (23:22:33.467 EDT Mon Apr 24 2013)


If you change the server's registry in accordance with the Microsoft articles referenced earlier, you reduce the root dispersion value to an acceptable level, but only if the local clock is used as the time reference.  Set LocalClockDispersion to "0" in order to reduce the root dispersion significantly.

Here is another packet debug of Windows Server NTP response after you change the registry values:

NTP: rcv packet from 172.16.1.3 to 172.16.1.1 on DMZ:
leap 0, mode 4, version 3, stratum 1, ppoll 128
rtdel 0000 (0.000), rtdsp 0ede (58.075), refid C6976401 (198.151.100.1)
ref ccd60291.af53f7ce (23:50:25.684 EDT Mon Apr 24 2013)
org ccd610e5.efecb657 (00:51:33.937 EDT Tue Apr 25 2013)
rec ccd610e5.ff333333 (00:51:33.996 EDT Tue Apr 25 2013)
xmt ccd610e5.ff333333 (00:51:33.996 EDT Tue Apr 25 2013)
inp ccd610e5.f07b651d (00:51:33.939 EDT Tue Apr 25 2013)


A root dispersion value that is higher than the stratum 1 is still sent and noted in the second output, but it is less than 1,000, and accepted by the ASA.

Updated: Aug 19, 2014
Document ID: 118053