Guest

Preview Tool

Cisco Bug: CSCvs80373 - NTP process seems stuck at FXOS making NTP server status to be: Unreachable Or Invalid Ntp Server

Last Modified

Aug 31, 2020

Products (1)

  • Cisco Firepower 9300 Series

Known Affected Releases

2.6(1.156)

Description (partial)

Symptom:
+ NTP server status at FXOS level will show "Unreachable Or Invalid Ntp Server" even though the server is reachable and is an actual NTP server.

FTD /system/services # show ntp-server detail 

NTP server hostname:
    Name: 10.1.1.10
    Time Sync Status: Unreachable Or Invalid Ntp Server
    NTP SHA-1 key id: 0
    Error Msg: The host is temporarily unreachable or may not be a NTP host. You may give more time to it or configure another one.

+ This will cause logical device (ASA/FTD) to have an incorrect time. For example:

* Time on FTD (incorrect)
root@ftd:log# date
Fri Jan  1 04:33:12 CST 2010

* Time on FMC (correct)
root@firepower:~# date
Fri Jan 17 19:19:59 UTC 2020

* In turn this could cause registration/synchronization issues between FTD and FMC.

Jan  1 10:24:25 ftd SF-IMS[12848]: [12902] sftunneld:sf_peers [INFO] Peer 10.1.1.100 needs a single connection
Jan  1 10:24:26 ftd SF-IMS[12848]: [12901] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 10.1.1.100:41583/tcp
Jan  1 10:24:26 ftd SF-IMS[12848]: [83007] sftunneld:sf_ssl [INFO] Processing connection from 10.1.1.100:41583/tcp (socket 12)
Jan  1 10:24:26 ftd SF-IMS[12848]: [83007] sftunneld:sf_ssl [ERROR] -Error with certificate at depth: 1
Jan  1 10:24:26 ftd SF-IMS[12848]: [83007] sftunneld:sf_ssl [ERROR]   issuer   = /title=InternalCA/OU=Intrusion Management System/CN=f183bb64-c66d-11e9-b8cd-dd8ea92990a1/O=Cisco Systems, Inc
Jan  1 10:24:26 ftd SF-IMS[12848]: [83007] sftunneld:sf_ssl [ERROR]   subject  = /title=InternalCA/OU=Intrusion Management System/CN=f183bb64-c66d-11e9-b8cd-dd8ea92990a1/O=Cisco Systems, Inc
Jan  1 10:24:26 ftd SF-IMS[12848]: [83007] sftunneld:sf_ssl [ERROR]   err 9:certificate is not yet valid
Jan  1 10:24:26 ftd SF-IMS[12848]: [83007] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Jan  1 10:24:26 ftd SF-IMS[12848]: [83007] sftunneld:sf_ssl [WARN] SSL Verification status: certificate is not yet valid

Conditions:
FXOS time configured from NTP server.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.