cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14314
Views
0
Helpful
8
Replies

TFTP not working

ankurbhasin
Level 9
Level 9

Hi Experts,

From my server I am not able to take the config backup of few switches.

Even when I go to the switch and give a copy config tftp all command it starts but then end giving an error message as follows

No response from host.

TFTP connection fail(-1).

file tftp:<configbackup> cannot be opened for write (TFTP write error)

Cannot write buffer to file

Cannot copy from config: to tftp:<configbackup>

Can anybody explain me this error message?

Just to confirm I am able to ping and trace my server from the switch also from the switch I am able to ping and trace my server.

Switch is behind the firewall where nat is working. But I have checked the firewall and port 69 is open. ALso when I do check the logs on the firewall i see request for port 69 coming and passing by so firewall is not an issue.

Please somebody look at the error message and help me finding out what the issue is.

Regards,

Ankur

1 Accepted Solution

Accepted Solutions

Hi Ankur

I thing we are talking about TFTP not FTP, as TFTP is UDP based, FTP TCP. Both are a bit troublesome trough firewalls. TFTP works like that, the first packet from the Client to the server (in your case from a switch to the tftp server) has a source port greater then 1023 (>1023) and a destination port of 69. The subsequent packets, also the ones coming from the tftp server back to the switch, will use a source port > 1023, and also a destinaton port >1023. So you have to open from the switch to the server a big range of port, namely >1023 to 69 plus >1023 to >1023 from switch to server plus >1023 to >1023 from server to switch. Quite a hole in your firewall, thats way it's not recommendet to use tftp over firewalls. On most switches you can also save your config via FTP.

Simon

View solution in original post

8 Replies 8

simonstoll
Level 1
Level 1

i think the problem lies within the filtering of the tftp protocol on your firewall. It's not enough to just open udp port 69. This port is just used on the first packet from the client to the server, after that they use source and destination ports > 1023. NAT should work with TFTP, as it doesn't use any embedded IP's. So actualy it's a nightmare to filter tftp over a firewall. The conclusion, if possible don't do it!!!

Hi Simon,

Thanks for your reply!!

I checked my firewall and see that from the source to my server FTP is allowed and you said noyt only UDP 69 playes a role also check for port 1023. If the request is coming with this port number I will see traffic drops at my firewall right? which I do not see. I do not see any traffic from port 1023 coming on my firewall even. Rest my firewall is allowing UDP 69 and is accepting and passing the traffic.

Any other help will be appreciated.

Regards,

Ankur

Hi Ankur

I thing we are talking about TFTP not FTP, as TFTP is UDP based, FTP TCP. Both are a bit troublesome trough firewalls. TFTP works like that, the first packet from the Client to the server (in your case from a switch to the tftp server) has a source port greater then 1023 (>1023) and a destination port of 69. The subsequent packets, also the ones coming from the tftp server back to the switch, will use a source port > 1023, and also a destinaton port >1023. So you have to open from the switch to the server a big range of port, namely >1023 to 69 plus >1023 to >1023 from switch to server plus >1023 to >1023 from server to switch. Quite a hole in your firewall, thats way it's not recommendet to use tftp over firewalls. On most switches you can also save your config via FTP.

Simon

Hi Simpson,

Appreciate your help!!

I am sorry for writing FTP on my last post it is tftp. Second imp thing which I will like to discuss is when I check logs on my firewall it never show me any request coming or going with port number 1023. Because only UDP port number 69 is open for source to destination if at all subsequent request is coming from port>1023 it should be dropped by the firewall and I should see that in logs right?

Pleae correct me if I am wrong. I see firewall passing port 69 traffic and then I do not see any request coming from any other port but still as you have updated I will check again once I am in office tomorrow.

Also can you explain again what all ports i need to open in my firewall when i go from switch to server and when i go from server to switch?

Please keep replying and help me solving this issue.

Regards,

Ankur

Hi Ankur

Well, yes you should see some denys in your firewall log. Do you just log the packets from outside to inside or also from inside to outside. Because just the first packet from outside to inside is >1023 to 69, then the reply is already >1023 to >1023 from the inside to the outside. After that there are packets from outside to inside and from inside to outside both source and destination >1023. Maybe you sould check with a packetanalyzer like ethereal (www.ethereal.com) if you have tftp packets passing trough the firewall.

Simon

Hi,

I use Whitehorn tftp (www.pegsol.com) for my tftp server. It is free so you might want to try it and see if you are getting the packets.

Hope this will be helpful.

Iqbal

Iqbal,

Its not a problem with TFTP server. Its the problem when Ankur tries to TFTP from the switch which is behind the firewall and that's where the problem lies.

Hi Simon,

Thanks for your help and it resolved my issue and the problem was with the checkpoint firewall ng version on which sepcial service was created to block replies on other port then udp 69. First packet came with port 69 but rest I see in debugs coming from random port 55765,55258 amd 51016.

Default behaviour of checkpoint version 4.1 is if we enable service tftp it sllows all ports related to tftp but in checkpoint ng version there is a checkbox which I need to check saying allow replied on other ports for tftp service.

Thanks for your help and letting me concentrate to find other port numbers for tftp.

Regards,

Ankur