topic Hello, thank you for your in Network Security

Problem transfer TFTP through ASA 5505

Thomas P — Tue, 12 Mar 2019 04:03:13 GMT

Hello,

I have a problem with my ASA 5505, I am not able to transfer files bigger than 100ko using TFTP. Below my archiecture:

CME<->ASA5505<->SW3650

Here is what I get when I try to download a file located on the 3650 on my CME:

CME#copy tftp flash

Address or name of remote host [X.X.X.X]?

Source filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?

Destination filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?

Accessing tftp://X.X.X.X/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar...

Loading cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar from 10.52.199.126 (via GigabitEthernet0/0): !... [timed out]

Error reading tftp://10.52.199.126/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar (Connection timed out)

When I look on the ASA monitoring page, I see that a UDP connection is built between the ASA and the SW3650 but 2 minutes later there are "Teardown UDP connection" messages.

Can you please help me? Due to this transfer issue, I am not able to upgrade my IP Phones (the phones only download the first 2 files because there are smaller than 100ko).

Thank you in advance for your help.

Regards.

Thomas.

Thomas,Check whether your CME

Poonam Garg — Wed, 09 Apr 2014 11:06:47 GMT

Thomas,

Check whether your CME router flash memory have enough space for this file to be copied, or you can try to do ftp transfer if your company policy allow that.

Hello, thank you for your

Thomas P — Wed, 09 Apr 2014 11:14:15 GMT

Hello, thank you for your answer.

I have enough space on my CME to download this file.

FTP transfers don't work. On the ASA monitoring, I see Deny TCP (no connection) when I do FTP transfer.

Default UDP connection time

Poonam Garg — Wed, 09 Apr 2014 12:19:37 GMT

Default UDP connection time out is 2 minutes through the ASA.

You can modify the timeout values for the specific flow from a particular source to destination . Try changing the default connection timeout of UDP

ASA(config)# access-list CONNS permit udp host  CME ip tftp serverip port

ASA(config)# class-map CONNS

ASA(config-cmap)#match access-list CONNS

ASA(config)# policy-map CONNS

ASA(config-pmap)# class CONNS

ASA(config-pmap-c)# set connection timeout idle 00:30:00

ASA(config)# service-policy CONNS {global | interface interface_name}

you can also globally change the timeout value of UDP using:

ASA(config)# timeout udp 00:30:00

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html#wp1080774

HTH

"Please rate helpful posts"

Is port 69 allowed through

Marius Gunnerud — Wed, 09 Apr 2014 12:23:33 GMT

Is port 69 allowed through your ASA? If not then add it in...and ofcourse remove it after the transfer if required

Please remember to rate and select a correct answer

Yes, the UDP port is open

Thomas P — Wed, 09 Apr 2014 12:40:45 GMT

Yes, the UDP port is open (UDP transfers work with small file).

Hello,Why do you want to

Thomas P — Wed, 09 Apr 2014 12:44:30 GMT

Hello,

Why do you want to change the UDP timeout value?

I see, Which TFTP server are

Marius Gunnerud — Wed, 09 Apr 2014 12:48:28 GMT

I see, Which TFTP server are you using? I have heard that there are some TFTP servers which do not support larger files, some that require you to adjust some setting to allow for larger transfers, and so on. I use TFTPD64 which is the 64bit version of TFTPD32, but have not had any issues with transfering large files using that.

Might be worth a try to change the TFTP server you are using to see if that is the cause of your problem.

http://tftpd32.jounin.net/tftpd32_download.html

Please remember to rate and select a correct answer

Hello,I tried to use my core

Thomas P — Wed, 09 Apr 2014 14:44:14 GMT

Hello,

I tried to use my core switch as TFTP server and also my PC using TFTP 64.

Same issue on both systems (see file attached for TFTP64).

Why do you think the ASA is

Rudy Sanjoko — Wed, 09 Apr 2014 15:14:53 GMT

Why do you think the ASA is the one at fault here? Have you tried to connect the switch directly to the CME? Does this work? If this also doesn't solve the issue, have you tried using FTP instead of TFTP?