Cisco Cisco Firepower Management Center 2000 문제 해결 가이드
NTP Server : 127.0.0.2 (Cannot Resolve)
Status : Being Used
Offset : -8.344 (milliseconds)
Last Update : 188 (seconds)
Note: If a managed device is configured to receive time from a FireSIGHT Management
Center, the device shows a timesource with loopback address, such as
Center, the device shows a timesource with loopback address, such as
127.0.0.2
2. If an appliance displays that it is syncing with
127.127.1.1
admin@FirePOWER:~$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
192.0.2.200 .INIT. 16 u - 1024 0 0.000 0.000 0.000
*127.127.1.1 .SFCL. 14 l 3 64 377 0.000 0.000 0.001
3. On the
ntpq
command output, if you notice the value of
st
(stratum) is 16, it indicates that the
timeserver is unreachable and the appliance will not be able to sychronize with that timeserver.
4. On the
ntpq
command output,
reach
shows an octal number that indicates success or failure
to reach source for the most recent 8 polling attempts. If you see the value is 377, it means the
last 8 attempts was successful. Any other values may indicate that the one or more of the last 8
attempts were unsuccessful.
last 8 attempts was successful. Any other values may indicate that the one or more of the last 8
attempts were unsuccessful.
Step 3: Verify Connectivity
1. Check the basic connectivity to the time server.
admin@FireSIGHT:~$ ping <IP_addres_of_NTP_server>
2. Ensure that port 123 is open on your FireSIGHT Systems.
admin@FireSIGHT:~$ netstat -an | grep 123
3. Confirm that port 123 is open on the firewall.
4. Check the hardware clock:
admin@FireSIGHT:~$ sudo hwclock
If the hardware clock is too far out of date, they may never successfully sync. In order to manually
force the clock to be set with a time server, run the following command:
force the clock to be set with a time server, run the following command:
admin@FireSIGHT:~$ sudo ntpdate -u <IP_address_of_known_good_timesource>
Then restart
ntpd
admin@FireSIGHT:~$ sudo pmtool restartbyid ntpd
Step 4: Verify Configuration Files
1. Check if the
sfipproxy.conf
file is populated correctly. This file is responsible for sending
NTP traffic over the sftunnel.