Guest

Preview Tool

Cisco Bug: CSCup58403 - ASA clock can not sync when there is two NTP server configured

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.6(1.2)

Description (partial)

Symptom:
ASA 5525, 8.6(1.2) , configured with two NTP servers(MIcrosoft server). if clock synchronization is triggered manually, ASA will fail to synchronise clock with any of them.

Conditions:
1. configured with two NTP server(tried only with microsoft server)
2. change the clock on the ASA to trigger the clock synchronisation manually
3. tested with 8.6(1.2) and 9.2.1, same results.

When running "show ntp associations", the offset number is greater than 128 (which it shouldn't be). Example:

ciscoasa# show ntp associations 
      address         ref clock     st  when  poll reach  delay  offset    disp
~10.75.61.149     .LOCL.            1    58    64    0     0.5  -75285  16000.
~10.75.61.240     .LOCL.            1    17    64    0     0.6  75276.  16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

When there are 2 NTP servers configured (NTP1 and NTP2) and their times are different by over 128 ms, this is what happens:
1) ASA attempts to sync to NTP1, sync clock with NTP1, finds local clock and reference clock is > 128 ms difference, reset sync status
2) ASA attempts to sync to NTP2, sync clock with NTP2, finds local clock (which was sync'ed to NTP1) and reference clock is > 128 ms difference, reset sync status
3) Repeat 1, then 2

This vicious cycle happens over and over again. Please see Eng-Note for more details.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.