Default UDP connection time

Thomas P · ‎04-09-2014

Hello,

I have a problem with my ASA 5505, I am not able to transfer files bigger than 100ko using TFTP. Below my archiecture:

CME<->ASA5505<->SW3650

Here is what I get when I try to download a file located on the 3650 on my CME:

CME#copy tftp flash

Address or name of remote host [X.X.X.X]?

Source filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?

Destination filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?

Accessing tftp://X.X.X.X/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar...

Loading cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar from 10.52.199.126 (via GigabitEthernet0/0): !... [timed out]

Error reading tftp://10.52.199.126/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar (Connection timed out)

When I look on the ASA monitoring page, I see that a UDP connection is built between the ASA and the SW3650 but 2 minutes later there are "Teardown UDP connection" messages.

Can you please help me? Due to this transfer issue, I am not able to upgrade my IP Phones (the phones only download the first 2 files because there are smaller than 100ko).

Thank you in advance for your help.

Regards.

Thomas.

Poonam Garg · ‎04-09-2014

Thomas,

Check whether your CME router flash memory have enough space for this file to be copied, or you can try to do ftp transfer if your company policy allow that.

Thomas P · ‎04-09-2014

Hello, thank you for your answer.

I have enough space on my CME to download this file.

FTP transfers don't work. On the ASA monitoring, I see Deny TCP (no connection) when I do FTP transfer.

Poonam Garg · ‎04-09-2014

Default UDP connection time out is 2 minutes through the ASA.

You can modify the timeout values for the specific flow from a particular source to destination . Try changing the default connection timeout of UDP

ASA(config)# access-list CONNS permit udp host  CME ip tftp serverip port

ASA(config)# class-map CONNS

ASA(config-cmap)#match access-list CONNS

ASA(config)# policy-map CONNS

ASA(config-pmap)# class CONNS

ASA(config-pmap-c)# set connection timeout idle 00:30:00

ASA(config)# service-policy CONNS {global | interface interface_name}

you can also globally change the timeout value of UDP using:

ASA(config)# timeout udp 00:30:00

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html#wp1080774

HTH

"Please rate helpful posts"

Marius Gunnerud · ‎04-09-2014

Is port 69 allowed through your ASA? If not then add it in...and ofcourse remove it after the transfer if required

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Thomas P · ‎04-09-2014

Yes, the UDP port is open (UDP transfers work with small file).

Marius Gunnerud · ‎04-09-2014

I see, Which TFTP server are you using? I have heard that there are some TFTP servers which do not support larger files, some that require you to adjust some setting to allow for larger transfers, and so on. I use TFTPD64 which is the 64bit version of TFTPD32, but have not had any issues with transfering large files using that.

Might be worth a try to change the TFTP server you are using to see if that is the cause of your problem.

http://tftpd32.jounin.net/tftpd32_download.html

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Thomas P · ‎04-09-2014

Hello,

I tried to use my core switch as TFTP server and also my PC using TFTP 64.

Same issue on both systems (see file attached for TFTP64).

Thomas P · ‎04-09-2014

Hello,

Why do you want to change the UDP timeout value?

Rudy Sanjoko · ‎04-09-2014

Why do you think the ASA is the one at fault here? Have you tried to connect the switch directly to the CME? Does this work? If this also doesn't solve the issue, have you tried using FTP instead of TFTP?

Problem transfer TFTP through ASA 5505