Skip to main content
sonydarrel
sonydarrel
New Member
August 25, 2015
Question

Time synchronization

  • August 25, 2015
  • 2 replies
  • 10883 views

 

Hello guys,

All Network devices are configured to query time to fortinet  acting a time server, fortinet is  sending packets to the internal LAN to Cisco Nexus switches but becz of stratum 16 Nexus switches are not syncing how i can reduce the stratum value on fortinet firewall. also i want to enable authentication for only  internal LAN switches and not to the ( internet servers pool.ntp.org ) how can i achieve that. can anybody help me the configuration example.

 

(ntp) # show config system ntp     set interface "port22" "port32"         config ntpserver             edit 1                 set server "pool.time.org"             next         end     set ntpsync enable     set server-mode enable     set syncinterval 10     set type custom end

    2 replies

    Dave_Hall
    Dave_Hall
    New Member
    August 25, 2015

    Default fortigate settings will only show what is configured differently from the default value; use "show all" instead of "show" if you want to see what other options that are configurable for a setting; also some feature set is not showable until an option is first enabled (e.g. set status enable.).

     

    In your case, I think you will want to configure the server mode type/IP and enable the authentication options.

     

     

     

    sonydarrel
    sonydarrelAuthor
    New Member
    August 28, 2015

    Dear Dave/emnoc

     

    if my fortinet is requesting a time to an NTP server which is enabled with authentication then the below configs will work.

     

    (ntp) # show config system ntp     set interface "port22" "port32"         config ntpserver             edit 1              set authentication enable              set key fortinetsecret              set key-id 234              set server 10.120.0.21             next         end     set ntpsync enable     set server-mode enable     set syncinterval 10     set type custom

     

    [style="background-color: #888888;"]but for my switches who are requesting a time from fortinet firewall 1200D how i can enable authentication on 1200D for switches [style="background-color: #ff0000;"]only[/style][/style] ,,is it the below commands are correct ?? i have not entered a set server X.X.X.X command becz fortinet itself is a server for the switches,

      edit 2              set authentication enable              set key fortinetsecret              set key-id 234              next

     

    Thanks

    emnoc
    emnoc
    New Member
    August 26, 2015

    You can't just decrease a NTP stratum value, a value of 16 means your NOT IN SYNC, so  the nexus will never establish sync. I would 1st make sure you diagnostic shows your have an establised clock discipline 1st and then double check the ntp config on the nexus.

     

    IMHO  &  from my experience, NX_OS has created big issues  in NTP vrs IOS or IOS-XR. I've experience major issues with NX-OS sync to a  local stratum clock  GM from symmetric TP5500  where everybody else sync'd correctly to the  GM ( stratum 1 ).

     

    Here's a post  I placed for a client of mine and pertains to  3500s but our 7K didn't have any issues btw, since this post date, we have upgraded our  NX3548 numerous times.

     

    http://socpuppet.blogspot...-6x-how-to-enable.html

     

    If you have the means to use ntpq , i would query the local fortigate 1st and then look at the NX switches, if you have others ( systems ) maintaining clock sync with no issues,  than look at the NX-Switches.

     

     

    Terms & ConditionsAccessibility statement