03-05-2010 09:22 AM - edited 03-11-2019 10:18 AM
Hi everyone
I have a tftp server on my local network and devices based on remote sites. Between the two networks I have a firewall, ASA 7.2(4), routers and a MPLS VPN network. When the devices try to pull the image from the tftp server, the connection times out (on a sniffer I can see packets with error code: unkown transfer ID). I have tftp inspect rule set up, but doesn't seem to have solved the problem. Anyone any ideas?
03-05-2010 06:51 PM
Since tftp uses udp it is best effort only. I'd suggest using a PC local to where ever you need it and not let the traffic traverse multiple layer 3 devices which may also be NAT devices. ASA firewall (if address translation happens) may drop these packets if you do not have inspect tftp.
You need to provide static address translation for this tftp server IP address.
- check the syslogs on the ASA
- collect captures on the ASA
- captues on the tftp server itself
- make sure tftp works locally in the segment where tftp server is located.
- make sure tftp works from the host right outside the ASA.
- You just have to go one hop away and keep testing until it fails and determine why it fails.
You can refer this link for error codes: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080093f14.shtml
-KS
03-08-2010 08:38 AM
Hi
I think I've come to the bottom of this, though I still don't have a solution. Basically what happens is that the TFTP data blocks of packets are big, the client sends another ACK0 with different transfer ids, unknown to the TFTP server which triggers a code error 5 and closes the connection.
The packets carry 1496 bytes of data and have to traverse IPsec GRE tunnels before reaching the destination. Any ideas on how I could speed this up?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide