Today I noticed that the clock my Cisco ASA 5505 firewall was running about 15 minutes late, which surprised me since I've set up the NTP client.

My two NTP servers 10.10.0.1 and 10.10.0.2 are virtualized Windows Server 2008 R2 domain controllers, and both have the correct time.

As shown below, the ASA knows about the two servers, can ping them and seems to poll them periodically, so I suppose it can reach them both. The ASA claims its time source is NTP, however the clock is unsynchronized. Neither host is marked as synced.

Result of the command: "ping 10.10.0.1"

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Result of the command: "sh ntp ass"

      address         ref clock     st  when  poll reach  delay  offset    disp
 ~10.10.0.1        .LOCL.            1    78  1024  377     0.5  643.69    17.0
 ~10.10.0.2        10.10.0.1         2   190  1024  377     0.9  655.91    58.4
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Result of the command: "sh ntp stat"

Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (07:28:16.000 CEST Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec

Result of the command: "sh clock detail"

10:33:23.769 CEDT Tue Jun 26 2012
Time source is NTP
UTC time is: 08:33:23 UTC Tue Jun 26 2012
Summer time starts 02:00:00 CEST Sun Mar 25 2012
Summer time ends 03:00:00 CEDT Sun Oct 28 2012

I've tried the basic steps of manually setting the time and removing and adding the timeservers, to no avail.

My ASA's ntp config is simply:

ntp server 10.10.0.1
ntp server 10.10.0.2

Do I need to enable authentication to use a Windows NTP server?

Any thoughts?