Ntp server needs to have route to the outside interface of ASA2. It seems that you can see the traffic till the outside interface of ASA1. Is NTP server part of the crypto acl on ASA1 and ASA2. If you have not enabled sysopt permit vpn command then you need to add a proper vpn filter for the reverse traffic i.e. traffic from NTP servers to ASA2.
Regards, FNK. On Fri, Sep 23, 2011 at 7:10 AM, Piotr Matusiak <[email protected]> wrote: > You can enable logging and check if it goes out and why it is dropped: > > logging buffered 7 > logg on > > show logg will reveal all the info. > > Regards, > Piotr > > > 2011/9/23 parvez ahmad <[email protected]> > >> >> Hi Piotr, >>> >> >> IPsec phase 2 is working fine packets are encrypting and decrypting >> for 10.50.0.0 subnet. Crypto ACLs are mirror. >> >> Is there any way to check where the packet is dropping. Except this site >> all remote site are synchronized with ntp server. >> >> Regards, >> Parvez >> >> >> >> >>> ------------------------------ >>> >>> Message: 4 >>> Date: Thu, 22 Sep 2011 15:53:21 +0200 >>> From: Piotr Matusiak <[email protected]> >>> To: parvez ahmad <[email protected]> >>> Cc: [email protected] >>> Subject: Re: [OSL | CCIE_Security] NTP Authentication on ASA >>> Message-ID: >>> < >>> cahlkuyq45cdmmjzdofwkpjo4y2svfqgf9q0gyxxjdjnjt9u...@mail.gmail.com> >>> Content-Type: text/plain; charset="iso-8859-1" >>> >>> Do you have routing and Crypto_ACL configured correctly? When the remote >>> ASA >>> tries to sync with NTP server it sources the traffic from the outside - >>> do >>> you have this in crypto_acl? >>> >>> Regards, >>> Piotr >>> >>> >>> 2011/9/22 parvez ahmad <[email protected]> >>> >>> > Hi All >>> > >>> > Topology is >>> > >>> > NTP >>> > >>> Server------(inside)ASA1(outside)-----------Internet---------(Outside)ASA2(inside)----------Lan >>> > >>> > ASA1 and ASA2 are connected through site to site VPN. Phase1 and Phase2 >>> are >>> > working fine. >>> > >>> > but ASA1 is synchronized with NTP Server but ASA2 is not. >>> > >>> > I checked with NTP Debug , we are getting Xmit packet but not reciveing >>> > packet. >>> > >>> > even configuration and NTP authentication key are same. On ASA1 Server >>> > inside in command and ASA2 server outside. >>> > >>> > What the we need to check for Synchronizing ASA2 with NTP server. >>> > >>> > >>> > Regards, >>> > Parvez >>> > >>> > -- >>> > Parvez Ahmad >>> > >>> > >>> > _______________________________________________ >>> > For more information regarding industry leading CCIE Lab training, >>> please >>> > visit www.ipexpert.com >>> > >>> > Are you a CCNP or CCIE and looking for a job? Check out >>> > www.PlatinumPlacement.com >>> > >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> </archives/ccie_security/attachments/20110922/eff37755/attachment-0001.html> >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
