sean_evershed wrote:
Do these switches have mulitple IP addresses defined on them?
From the TFTP server can you ping the switches?
What error logs do you get on the ASA when you attempt to backup a switch?
Try configuring the ip tftp source-interface command on the switch.
http://www.cisco.com/en/US/docs/ios/12_0/configfun/command/reference/frgenral.html
This address range then needs to be included in the interesting traffic ACL for the VPN tunnel.
Please remember to rate all posts that are helpful.

Hi Sean,

Please see the following

KP-SW003#copy running-config tftp:
Address or name of remote host []? 10.254.254.61
Destination filename [kp-sw003-confg]?
.....
%Error opening tftp://10.254.254.61/kp-sw003-confg (Timed out)
KP-SW003#ping 10.254.254.61

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.254.61, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

But i can ping to this switch.... site to Site VPN is configured between ASAs.

Thanks&Regards

Vipin Raj

Is 10.254.254.61 on your side of the VPN tunnel?

It looks like that there may be a routing issue between the switch and TFTP server since they can't ping each other.

You say that you can ping the switch. Are you on the same subnet as the TFTP server in question?

Please post the logs from the ASA when you try the TFTP command.

sean_evershed wrote:
Is 10.254.254.61 on your side of the VPN tunnel?
It looks like that there may be a routing issue between the switch and TFTP server since they can't ping each other.
You say that you can ping the switch. Are you on the same subnet as the TFTP server in question?
Please post the logs from the ASA when you try the TFTP command.

Hi Sean,

yea......10.254.254.61 is in our size. But i can ping to 192.168.0.39, which is the switch's IP address... I think ping is blocked by ASA... Let me check

Thanks&Regards

Vipin Raj

Hi

ASA is blocking the ping from Client's Switch to our network. I permited the ICMP packet for the inside interface in client's ASA. But it didnt work...

Is there any other method to enable ping??

Thanks&Regards

Vipin Raj

Vipin Raj

There are several things which could cause the problem that you are experiencing. Based on the symptoms that you describe I believe that the most likely cause is in the way that the VPN is set up. In configuring VPN on ASA there is an access list which permits traffic to be sent through the VPN tunnel. My guess is that this access list is not permitting the TFTP traffic from the switches to the server in your network. Can you check the access list (you need to check on both sides of the tunnel since the access list on each side should match the access list of the other side) and verify whether there is a permit for the TFTP traffic from the remote switches to your server?

My second guess at the problem is to ask whether there is an inspect tftp in the policy map configured on the ASA.

HTH

Rick

rburts wrote:
Vipin Raj
There are several things which could cause the problem that you are experiencing. Based on the symptoms that you describe I believe that the most likely cause is in the way that the VPN is set up. In configuring VPN on ASA there is an access list which permits traffic to be sent through the VPN tunnel. My guess is that this access list is not permitting the TFTP traffic from the switches to the server in your network. Can you check the access list (you need to check on both sides of the tunnel since the access list on each side should match the access list of the other side) and verify whether there is a permit for the TFTP traffic from the remote switches to your server?
My second guess at the problem is to ask whether there is an inspect tftp in the policy map configured on the ASA.
HTH
Rick

Hi

I permitted al the traffic from our side to client.. also inspect tftp is enabled...............  Still searching for a solution... please help..

Thanks&Regards

Vipin