Have an account?
  •   Personalized content
  •   Your products and support

Need an account?

Create an account

可适应安全工具FAQ :ASA为什么不能用作为Ntp server配置的Windows服务器同步?

Download Options

  • PDF     (202.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (70.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (68.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated: 2014 年 8 月 19 日
Document ID:118053
About Translation

About This Translation

Cisco has translated this document using a combination of machine and human technologies to offer our users around the world Support content in their own language.Please note that even the best machine translation will not be as accurate as that provided by a professional translator.Cisco Systems, Inc. assumes no liability for the accuracy of these translations and recommends that the original English document (link provided) is always consulted.

简介

本文描述原因为什么ASA与网络时间协议(NTP)服务器不同步时间,什么原因默认散射值是超过一秒钟,并且什么可以执行解决此问题。

ASA为什么不能用作为Ntp server配置的Windows服务器同步?

可适应安全工具(ASA)不用网络时间协议(NTP)服务器同步时间,当Ntp server发送散射值超过一秒钟时。这是MS Windows服务器的默认散射值,当使用作为Ntp server。如何解决此问题?

NTP: rcv packet from 172.23.226.161 to 172.23.246.71 on management:
leap 0, mode 4, version 3, stratum 2, ppoll 64 
rtdel 0800 (31.250), rtdsp ae343 (10887.741), refid C6976401 (198.151.100.1)

ASA要求散射值少于1000毫秒(一秒钟)为了通过NTP同步其时钟。Windows服务器报告太高为了ASA能同步的散射值,因此您必须调节Windows服务器为了适应此需求。当您进行在服务器时的一次注册表更改您能执行此。参见theseMicrosoft文档欲知更多信息: LocalClockDispersion条目。 


如果运行的Windows服务器,因为Ntp server也不是域控制器(DC), AnnounceFlags注册表设置也许需要更改到0x5 (0x01 + 0x04)。参见更多inforomation的以下Microsoft文档:
设置\ AnnounceFlags条目。 


Microsoft的实施跟多数NTP服务器不同运行,并且也许导致问题类似于以前描述的那个。 有非常地大与一些其他NTP比较服务器的根散射的MS Windows服务器NTP实施发送数据包重视。此输出debug ntp packet根据该的ASA尝试同步到一未调整的Windows服务器:

NTP: rcv packet from 172.16.1.3 to 172.16.1.1 on DMZ:
 leap 0, mode 4, version 3, stratum 2, ppoll 64
 rtdel 0800 (31.250), rtdsp 7dcc3 (7862.350), refid C6976401 (198.151.100.1)
 ref ccd5ee4e.4cd51570 (22:23:58.300 EDT Mon Apr 24 2013)
 org ccd5ee61.f71e22bd (22:24:17.965 EDT Mon Apr 24 2013)
 rec ccd5ee61.f0ac1fae (22:24:17.940 EDT Mon Apr 24 2013)
 xmt ccd5ee61.f0ac1fae (22:24:17.940 EDT Mon Apr 24 2013)
 inp ccd5ee61.f8744957 (22:24:17.970 EDT Mon Apr 24 2013)
NTP: 172.16.1.3 reachable

 
是利益的值是:rtdsp 7dcc3 (7862.350)。 散射指示错误相对其参考源以毫秒。 NTP的ASA的实施宣称时间源,因为无效,如果在数据包的该根散射值大于1,000。

这是从同步,不用问题从Ntp server接收的答复的debug输出。 注意根散射是更低的。

NTP: rcv packet from 172.18.108.15 to 172.18.254.61 on outside:
  leap 0, mode 4, version 3, stratum 1, ppoll 64
  rtdel 0000 (0.000), rtdsp 000f (0.229), refid C6976401 (198.151.100.1)
  ref ccd5fc03.000becc0 (23:22:27.000 EDT Mon Apr 24 2013)
  org ccd5fc09.7705ecf8 (23:22:33.464 EDT Mon Apr 24 2013)
  rec ccd5fc09.778d15a1 (23:22:33.466 EDT Mon Apr 24 2013)
  xmt ccd5fc09.778e1e93 (23:22:33.467 EDT Mon Apr 24 2013)
  inp ccd5fc09.778eb534 (23:22:33.467 EDT Mon Apr 24 2013)


如果更改服务器的注册符合被参考的Microsoft条款前,您降低根散射值到可接受的水平,但是,只有当本地时钟作为时间参考使用。 设置LocalClockDispersion到"0"为了极大减少根散射。

这是Windows服务器NTP答复另一数据包调试,在您更改注册表值后:

NTP: rcv packet from 172.16.1.3 to 172.16.1.1 on DMZ:
  leap 0, mode 4, version 3, stratum 1, ppoll 128
  rtdel 0000 (0.000), rtdsp 0ede (58.075), refid C6976401 (198.151.100.1)
  ref ccd60291.af53f7ce (23:50:25.684 EDT Mon Apr 24 2013)
  org ccd610e5.efecb657 (00:51:33.937 EDT Tue Apr 25 2013)
  rec ccd610e5.ff333333 (00:51:33.996 EDT Tue Apr 25 2013)
  xmt ccd610e5.ff333333 (00:51:33.996 EDT Tue Apr 25 2013)
  inp ccd610e5.f07b651d (00:51:33.939 EDT Tue Apr 25 2013)


高于stratum1在第二输出中的根散射值仍然发送并且注释,但是它少于1,000是和接受由ASA。

TAC Authored

Contributed by Cisco Engineers

  • Raghunath Kulkarni and Magnus Mortenson
    Cisco TAC Engineers.

Was this Document Helpful?

Feedback反餽

联系我们

Related Support Community Discussions

This Document Applies to These Products

关于我们
联系我们
加入我们