Cisco Cisco ASA 5555-X Adaptive Security Appliance 문제 해결 가이드
NTP: rcv packet from 172.16.1.3 to 172.16.1.1 on DMZ:
leap 0, mode 4, version 3, stratum 2, ppoll 64
rtdel 0800 (31.250), rtdsp 7dcc3 (7862.350), refid C6976401 (198.151.100.1)
ref ccd5ee4e.4cd51570 (22:23:58.300 EDT Mon Apr 24 2013)
org ccd5ee61.f71e22bd (22:24:17.965 EDT Mon Apr 24 2013)
rec ccd5ee61.f0ac1fae (22:24:17.940 EDT Mon Apr 24 2013)
xmt ccd5ee61.f0ac1fae (22:24:17.940 EDT Mon Apr 24 2013)
inp ccd5ee61.f8744957 (22:24:17.970 EDT Mon Apr 24 2013)
NTP: 172.16.1.3 reachable
The value that is of interest is: rtdsp 7dcc3 (7862.350). The dispersion indicates the error relative to its
reference source in milliseconds. The ASA's implementation of NTP declares a time source as invalid if that
root dispersion value in the packet is larger than 1,000.
reference source in milliseconds. The ASA's implementation of NTP declares a time source as invalid if that
root dispersion value in the packet is larger than 1,000.
Here is the debug output from a response recieved from an NTP server that synchronizes without issue. Notice
that the root dispersion is much lower.
that the root dispersion is much lower.
NTP: rcv packet from 172.18.108.15 to 172.18.254.61 on outside:
leap 0, mode 4, version 3, stratum 1, ppoll 64
rtdel 0000 (0.000), rtdsp 000f (0.229), refid C6976401 (198.151.100.1)
ref ccd5fc03.000becc0 (23:22:27.000 EDT Mon Apr 24 2013)
org ccd5fc09.7705ecf8 (23:22:33.464 EDT Mon Apr 24 2013)
rec ccd5fc09.778d15a1 (23:22:33.466 EDT Mon Apr 24 2013)
xmt ccd5fc09.778e1e93 (23:22:33.467 EDT Mon Apr 24 2013)
inp ccd5fc09.778eb534 (23:22:33.467 EDT Mon Apr 24 2013)
If you change the server's registry in accordance with the Microsoft articles referenced earlier, you reduce the
root dispersion value to an acceptable level, but only if the local clock is used as the time reference.
Set LocalClockDispersion to "0" in order to reduce the root dispersion significantly.
root dispersion value to an acceptable level, but only if the local clock is used as the time reference.
Set LocalClockDispersion to "0" in order to reduce the root dispersion significantly.
Here is another packet debug of Windows Server NTP response after you change the registry values:
NTP: rcv packet from 172.16.1.3 to 172.16.1.1 on DMZ:
leap 0, mode 4, version 3, stratum 1, ppoll 128
rtdel 0000 (0.000), rtdsp 0ede (58.075), refid C6976401 (198.151.100.1)
ref ccd60291.af53f7ce (23:50:25.684 EDT Mon Apr 24 2013)
org ccd610e5.efecb657 (00:51:33.937 EDT Tue Apr 25 2013)
rec ccd610e5.ff333333 (00:51:33.996 EDT Tue Apr 25 2013)
xmt ccd610e5.ff333333 (00:51:33.996 EDT Tue Apr 25 2013)
inp ccd610e5.f07b651d (00:51:33.939 EDT Tue Apr 25 2013)
A root dispersion value that is higher than the stratum 1 is still sent and noted in the second output, but it is
less than 1,000, and accepted by the ASA.
less than 1,000, and accepted by the ASA.
Updated: Aug 19, 2014
Document ID: 118053