Sync Microsoft Domain Time To A Cisco NTP Device

KB ID 0001038

Problem

I’ve been posting domain time articles for a long time, and on more than one occasion I’ve really needed to take my Windows time from a Cisco Device and failed miserably. I’ve even used third party NTP software to solve this problem on my own test network.

On a client network, my colleague deployed ACS5 this week, I secured the ASA5585-X for AAA and it failed authentication. Logging revealed a clock skew error, so we manually set the time on the domain PDC. Within half an hour it was failing. The network topology prevented me syncing to a public NTP server from the domain PDC.

We did however have all the network devices syncing from a public time source, if only we could use one of those?

Solution

Step 1 Configure NTP on your Cisco Device.

Here I’m using a 7200 Router in GNS3, the NTP IP addresses I use are UK based NTP servers, I suggest you replace them with some public NTP servers on your own continent. I’m using two for redundancy.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ntp server 130.88.202.49 prefer
Petes-Router(config)#ntp server 194.35.252.7

[/box]

NOTE: You need to force the Cisco device to advertise itself with a low stratum, typically the lower the stratum, the closer to atomic time you are supposed to be, (so we are actually forcing the device to lie, but if we don’t, Windows wont trust it!)

[box]

 Petes-Router(config)#ntp master 5 

[/box]

It can take a while for NTP, (go and have a coffee), then check it’s synchronised, DO NOT proceed until the Cisco device has synchronised.

[box]

R1#show ntp status
Clock is synchronized, stratum 5, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
ntp uptime is 364600 (1/100 of seconds), resolution is 4000
reference time is D898D3A0.319A96D4 (23:05:04.193 GMT Wed Feb 25 2015)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.26 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000000 s/s
system poll interval is 16, last update was 3 sec ago.

[/box]

Step 2 Configure Windows to use Cisco NTP Time

In the past I’ve said “Windows Does not use NTP, it uses Win32 Time” This is not strictly true, it does use NTP, but by default it uses ‘Symmetric Active Mode NTP’ and your Cisco Device expects its NTP requests to be submitted via ‘Client Mode NTP‘. (See MS KB 875424 for more info).

Note: By default Windows Domains take their time from the PDC emulator, carry this procedure out on that server!

Locate your FSMO Role Servers

Open an elevated command prompt and execute the following commands (the Cisco device IP is shown in red, change accordingly);

[box]

w32tm /config /manualpeerlist:"123.123.123.148",0x8 /syncfromflags:MANUAL
net stop "windows time"
net start "windows time"
w32tm /resync

Note: If you want to specify TWO Cisco devices, use the following syntax

w32tm /config /manualpeerlist:"123.123.123.148,123.123.123.149",0x8 /syncfromflags:MANUAL

[/box]

Now in the Servers System log, you should see the following two events logged.

Event ID 37

Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:33:19
Event ID: 37
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time provider NtpClient is currently receiving valid time data from 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).

Event ID 35

Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:21:17
Event ID: 35
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time service is now synchronizing the system time with the time source 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).

 

Windows and Cisco NTP Problems and Errors

Event ID 47

Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:11:07
Event ID: 47
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
Time Provider NtpClient: No valid response has been received from manually configured 
peer 123.123.123.148 after 8 attempts to contact it. This peer will be discarded as a 
time source and NtpClient will attempt to discover a new peer with this DNS name. The 
error was: The peer is unreachable.

On your Cisco Device you will see debug output like so, (it will repeat 8 times);

[box]

Petes-Router#debug ntp all
NTP events debugging is on
NTP core messages debugging is on
NTP clock adjustments debugging is on
NTP reference clocks debugging is on
NTP packets debugging is on
Petes-Router#
000031: Feb 25 22:07:45.831: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000032: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: message received
000033: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#
000034: Feb 25 22:07:54.967: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000035: Feb 25 22:07:54.967: NTP Core(DEBUG): ntp_receive: message received
000036: Feb 25 22:07:54.971: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#

[/box]

Causes:

This is a pretty generic error, but in this case, one of the following situations can cause this;

1. UDP Port 123 is blocked between Windows and the Cisco NTP device.

2. The Cisco NTP device has not synchronised form a reliable NTP source.

3. The stratum of the Cisco NTP device is to high.

4. Windows is attempting to sync time using ‘Symmetric Active Mode NTP‘ See my comments above.

Related Articles, References, Credits, or External Links

Windows – Setting Domain Time

Cisco ASA – Configuring for NTP

VMware – Setting up ESX NTP Time Sync

Cisco ASA – Configuring for NTP

KB ID 0000608

Problem

With NTP, there will be two things you want to do, 1) Allow a device behind the ASA to take its time from a public NTP server, and 2) Set the ASA to take its system time from a public NTP sever (for accurate date stanps on the logs, and for time critical things like Kerberos authentication.)

Solution

Allow internal host(s) to get system time though the firewall.

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)# 

[/box]

2. To rules are being applied to traffic going OUT through the firewall, run a “show run access-group” command.

[box]

PetesASA(config)# show run access-group

        Sample Output

access-group outbound in interface inside
access-group inbound in interface outside

[/box]

Note: If it returns nothing then outbound traffic is NOT being filtered, and NTP should work anyway, but in the example above I can see the traffic that is going IN the inside interface (That’s traffic going out if you think about it!) Is being filtered by an access list called ‘outbound’ (Because I give the ACL’s sensible names, yours could be called anything!)

3. To allow ALL hosts use the word any, for a specific host use the keyword host.

[box]

Allow all hosts access to NTP

PetesASA(config)# access-list outbound permit udp any any eq 123

Allow one host (192.168.1.1)
        to NTP

PetesASA(config)# access-list outbound permit udp host 10.254.254.1 any eq 123 

[/box]

4.  Finally save the updated config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
  PetesASA#

[/box]

Set the ASA to get its System Time from an External NTP Source

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)# 

[/box]

2. The IP address I’m using is in the UK if you want one more local look here.

[box]

PetesASA(config)#  ntp server 130.88.212.143 source outside

[/box]

3. To check on its status, simply execute a “show ntp status” command. BUT it will take a few minutes to synchronise, until it does you will see;

[box]

PetesASA(config)#  show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a01de.60ad92ea (13:04:30.377 UTC Fri May 25 2012)
clock offset is 3414265.0854 msec, root delay is 26.09 msec
root dispersion is 3430186.81 msec, peer dispersion is 16000.00 msec
PetesASA(config)#

[/box]

When it is finally synchronised it will say;

[box]

PetesASA(config)#   show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a0f74.a34d5dde (14:02:28.637 UTC Fri May 25 2012)
clock offset is -9.1688 msec, root delay is 25.91 msec
root dispersion is 15915.95 msec, peer dispersion is 15890.63 msec 
PetesASA(config)#

[/box]

4.  Finally save the updated config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box]

Related Articles, References, Credits, or External Links

Set Cisco ASA for Kerberos Authentication