03-04-2013 08:42 AM - edited 07-03-2021 11:39 PM
Hi All
I recently upgraded our PI 1.2.1 to 1.3. It all worked fine but I had no more TFTP working. It didn't really work in the previous version, but now it didn't work at all. I could neither put nor get a file.
So today I checked out some system setting and finally found the reason within iptables.
Please note, this requires root access to the PI 1.3
Here:
ade # tftp -v -c put /localdisk/defaultRepo/cpi1.domain.com_neu.csr cpi1.domain.com_neu.csr
(to) x.x.x.x
Connected to x.x.x.x (x.x.x.x), port 69
putting /localdisk/defaultRepo/cpi1.domain.com_neu.csr to x.x.x.x:cpi1.domain.com_neu.csr [netascii]
Transfer timed out.
So this is the error message when doing it on the root shell. This error always appeared.
Now disabling iptables and doing it again:
ade # /etc/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
ade #
ade #
ade # tftp -v -c put /localdisk/defaultRepo/cpi1.domain.com_neu.csr cpi1.domain.com_neu.csr
(to) x.x.x.x
Connected to x.x.x.x (x.x.x.x), port 69
putting /localdisk/defaultRepo/cpi1.domain.com_neu.csr to x.x.x.x:cpi1.domain.com_neu.csr [netascii]
Sent 1062 bytes in 0.0 seconds [394426 bit/s]
And bang, it worked on the first try!
And reenabling iptables:
ade # /etc/init.d/iptables start
Applying iptables firewall rules: [ OK ]
Anybody else also having those problems?
I'm sadly an absolute iptables beginner and don't really know how to troubleshoot this more (even though I expect it to be working from start).
Thanks,
Patrick
Solved! Go to Solution.
03-05-2013 05:28 AM
03-04-2013 08:52 AM
I have always used FTP to upload a file to PI. Have to looked at this doc?
https://supportforums.cisco.com/docs/DOC-26972
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
03-04-2013 11:39 PM
Thanks for the link. I can't use FTP here, it has to be TFTP.
03-05-2013 04:23 AM
Well you can always try to patch or upgrade by using a tftp repository. I know it was broke, but I don't remember what code, but its worth trying.
TFTP Repository:
# configure
(config)# repository wcs-tftp-repo
(config-Repository)# url tftp://ip-address
(config-Repository)# exit
(config)# exit
#
Sent from Cisco Technical Support iPhone App
03-05-2013 04:46 AM
Also doesn't help.
But I found now a working solution. It indeed seems to be a wrong configured iptables. The issue is with the dynamic high-ports of TFTP which aren't allowed by default on iptables.
Here I found the hint that works: http://nartax.com/2012/04/iptables-rule-for-tftp/
So I logged in as root, edited the config file
vi /etc/sysconfig/iptables-config
And changed
IPTABLES_MODULES=""
to
IPTABLES_MODULES="ip_conntrack_tftp"
After saving it with :wq I restarted iptables and also restarted ncs (this is needed as some iptables rules are loaded when ncs starts and are lost when iptables is restarted!).
I'm checking if I can open a TAC case for this, so it might get fixed in some future version.
Patrick
[edit]
Can't open a TAC, my permission level is not enought
Message was edited by: Patrick Oberli Added comment about TAC
03-05-2013 04:49 AM
Yeah... Well we shall see:). The MSE also has issues with the iptables and I just usually do a flush and restart.
Sent from Cisco Technical Support iPhone App
03-05-2013 04:57 AM
Stop IPTABLES with "service iptables stop" Edit /etc/sysconfig/iptables-config Add ip_conntrack_tftp to IPTABLES_MODULES="" line so it reads IPTABLES_MODULES="ip_conntrack_tftp" Start IPTABLES with "service IPTABLES start"
03-05-2013 04:59 AM
Please Let me know how it goes.
---------------------------------------------------------------------------------
Make sure to rate correct answers
03-05-2013 05:21 AM
Thanks for your reply. As you can see in my reply just 10 minute before yours, I came to the same solution
Could you maybe create a Service Request for this as I don't have the permission?
03-05-2013 05:28 AM
03-05-2013 05:32 AM
Thanks a lot
Seems the bug already was existing. I searched for tftp in bug toolkit, but didn't receive a result.
03-05-2013 05:04 AM
So I use FTP so this doesn't really affect me. What patoberli I think was stating, is if this is something the Cisco needs to add to the iptables so that it isn't a manual process. Patoberli did find out what needs to be changed though but doesn't have a support contract to maybe follow up to have this added.
Sent from Cisco Technical Support iPhone App
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide