Guest

Preview Tool

Cisco Bug: CSCur12769 - ASA DP not changing NTP parameters correctly

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

1.0(1)

Description (partial)

Symptom:
The following XML is used to configure two NTP servers on the ASA device cluster:
<fvTenant name="g007">
    <vnsLDevVip name="dmz_asa">
        <vnsDevFolder key="NTP" name="ntp">
            <vnsDevFolder key="NTPServer" name="ntp1">
                <vnsDevParam key="server" name="ntp1" value="172.18.114.20" />
                <vnsDevParam key="prefer" name="prefer" value="enable" />
            </vnsDevFolder>
            <vnsDevFolder key="NTPServer" name="ntp2">
                <vnsDevParam key="server" name="ntp2" value="172.18.116.21" />
                <vnsDevParam key="prefer" name="prefer" value="enable" />
            </vnsDevFolder>
        </vnsDevFolder>
    </vnsLDevVip>
</fvTenant>

The prefer parameter is then deleted with the following XML:
<fvTenant name="g007">
    <vnsLDevVip name="dmz_asa">
        <vnsDevFolder key="NTP" name="ntp">
            <vnsDevFolder key="NTPServer" name="ntp2">
                <vnsDevParam key="prefer" name="prefer" status="deleted" />
            </vnsDevFolder>
        </vnsDevFolder>
    </vnsLDevVip>
</fvTenant>

The ASA device package did not remove the prefer option from ntp2, the ASA still show the following config:
ciscoasa# sh run | i ntp
ntp server 172.18.116.21 prefer
ntp server 172.18.114.20 prefer

The following XML is used to change the IP address of ntp2 from 172.18.116.21 to 172.18.116.22:
<fvTenant name="g007">
    <vnsLDevVip name="dmz_asa">
        <vnsDevFolder key="NTP" name="ntp">
            <vnsDevFolder key="NTPServer" name="ntp2">
                <vnsDevParam key="server" name="ntp2" value="172.18.116.22" />
            </vnsDevFolder>
        </vnsDevFolder>
    </vnsLDevVip>
</fvTenant>

The ASA device package did not change the IP address of ntp2, but rather create another NTP server on the ASA:
ciscoasa# sh run | i ntp
ntp server 172.18.116.21 prefer
ntp server 172.18.116.22
ntp server 172.18.114.20 prefer

No fault is raised for both configuration issues.

Conditions:
Deleting or changing NTP parameters.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.