Re: Cant copy from flash to TFTP server on ASA5555-X over Anyconnect VPN

amardulaimi · ‎03-24-2021

Hello,

I'm having issues copying files from ASA flash to TFTP server over Anyconnect VPN. I have a Nexus 9K switch thats connected to the ASA and I have no issues copying files from the flash on the Nexus switch to the TFTP server. Its just that when I copy from/to the flash/TFTP server on the ASA is not working. I get a "(Timed out attempting to connect)" message. I believe I've configured the required ACL and NAT, split tunnel on the ASA but not sure whats missing

VPN host / TFTP server IP: 10.120.0.57

Thanks

Spooster IT Services · ‎03-25-2021

Hello @amardulaimi

1. Make sure you have a management access command setup on ASA

management-access <LAN Interface Nameif>

2. Configure no nat for ASA LAN Interface subnet and Anyconnect subnet.

***Please rate all helpful posts***

Spooster IT Services Team

amardulaimi · ‎03-25-2021

The management-access is already configured. Can you provide a config example of the no nat and how is that going to help ? as I have 4 sub-interfaces configured for the 4 vlans on the inside network.

Asemmoqbel · ‎03-25-2021

hello,

You can't access TFTP server from ASA because ASA is using outside interface ip address as source and Outside interface subnet is not allowed to communicate over VPN tunnel because the subnet is not included in spilt-tunnel ACL.

Just add 72.138.150.x/28 outside subnet under split-tunnel ACL and it will work.

Best Regards

Asem

amardulaimi · ‎03-25-2021

I tried that but still not able to copy to the TFTP server from the ASA

Asemmoqbel · ‎03-25-2021

After adding the subnet to ACL, can you ping the tftp server from ASA?? and make sure you add the subnet with exact mask.

Also verify that 72.138.150.x/28 subnet is displayed under route details on AnyConnect client.

best regards

Asem

amardulaimi · ‎03-25-2021

Yes now i can ping the tftp server from ASA and in SolarWinds tftp server log I can see the public IP of the ASA making it through but says "dropped because peer didn't respond" and now I can see the file in the tftp root folder but with 0 KB

Asemmoqbel · ‎03-26-2021

Hello,

Then the original issue is solved as the connection between ASA and tftp server is established now.

and It seems there is an issue with your SolarWinds server causing the drop and sorry I haven't used it so i can't help.

you can go to SolarWinds support and enquiry them about the issue or just install tftp32 software if your company policy allow it.

Best Regards

Asem

amardulaimi · ‎03-26-2021

The original issue has not been resolved. I can ping now but that's not what I needed. I need to be able to transfer files to/from the ASA and that's still not working. Like I mentioned I have Nexus 9K switch connected to the ASA and I don't have any issue copying file from the switch to the solarwinds tftp server over VPN. So problem is with the ASA thats not allowing tftp traffic to originate from itself and like i mentioned SolarWinds gives a message "dropped because peer didn't respond" meaning the ASA is dropping the return traffic