Solved: Re: TFTP broken in PI 1.x because of iptables

patoberli · ‎03-04-2013

Hi All

I recently upgraded our PI 1.2.1 to 1.3. It all worked fine but I had no more TFTP working. It didn't really work in the previous version, but now it didn't work at all. I could neither put nor get a file.

So today I checked out some system setting and finally found the reason within iptables.

Please note, this requires root access to the PI 1.3

Here:

ade # tftp -v -c put /localdisk/defaultRepo/cpi1.domain.com_neu.csr cpi1.domain.com_neu.csr

(to) x.x.x.x

Connected to x.x.x.x (x.x.x.x), port 69

putting /localdisk/defaultRepo/cpi1.domain.com_neu.csr to x.x.x.x:cpi1.domain.com_neu.csr [netascii]

Transfer timed out.

So this is the error message when doing it on the root shell. This error always appeared.

Now disabling iptables and doing it again:

ade # /etc/init.d/iptables stop

Flushing firewall rules: [ OK ]

Setting chains to policy ACCEPT: filter [ OK ]

Unloading iptables modules: [ OK ]

ade #

ade # tftp -v -c put /localdisk/defaultRepo/cpi1.domain.com_neu.csr cpi1.domain.com_neu.csr

(to) x.x.x.x

Connected to x.x.x.x (x.x.x.x), port 69

putting /localdisk/defaultRepo/cpi1.domain.com_neu.csr to x.x.x.x:cpi1.domain.com_neu.csr [netascii]

Sent 1062 bytes in 0.0 seconds [394426 bit/s]

And bang, it worked on the first try!

And reenabling iptables:

ade # /etc/init.d/iptables start

Applying iptables firewall rules: [ OK ]

Anybody else also having those problems?

I'm sadly an absolute iptables beginner and don't really know how to troubleshoot this more (even though I expect it to be working from start).

Thanks,

Patrick

maldehne · ‎03-05-2013

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud15241

cheers

View solution in original post

Scott Fella · ‎03-04-2013

I have always used FTP to upload a file to PI. Have to looked at this doc?

https://supportforums.cisco.com/docs/DOC-26972

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

patoberli · ‎03-04-2013

Thanks for the link. I can't use FTP here, it has to be TFTP.

Scott Fella · ‎03-05-2013

Well you can always try to patch or upgrade by using a tftp repository. I know it was broke, but I don't remember what code, but its worth trying.

TFTP Repository:

# configure
(config)# repository wcs-tftp-repo
(config-Repository)# url tftp://ip-address
(config-Repository)# exit
(config)# exit
#

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

patoberli · ‎03-05-2013

Also doesn't help.

But I found now a working solution. It indeed seems to be a wrong configured iptables. The issue is with the dynamic high-ports of TFTP which aren't allowed by default on iptables.

Here I found the hint that works: http://nartax.com/2012/04/iptables-rule-for-tftp/

So I logged in as root, edited the config file

vi /etc/sysconfig/iptables-config

And changed

IPTABLES_MODULES=""

to

IPTABLES_MODULES="ip_conntrack_tftp"

After saving it with :wq I restarted iptables and also restarted ncs (this is needed as some iptables rules are loaded when ncs starts and are lost when iptables is restarted!).

I'm checking if I can open a TAC case for this, so it might get fixed in some future version.

Patrick

[edit]

Can't open a TAC, my permission level is not enought

Message was edited by: Patrick Oberli Added comment about TAC

Scott Fella · ‎03-05-2013

Yeah... Well we shall see:). The MSE also has issues with the iptables and I just usually do a flush and restart.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

maldehne · ‎03-05-2013

Stop IPTABLES with "service iptables stop"
Edit /etc/sysconfig/iptables-config
Add ip_conntrack_tftp to IPTABLES_MODULES="" line so it reads
IPTABLES_MODULES="ip_conntrack_tftp"
Start IPTABLES with "service IPTABLES start"

maldehne · ‎03-05-2013

Please Let me know how it goes.

---------------------------------------------------------------------------------

Make sure to rate correct answers

patoberli · ‎03-05-2013

Thanks for your reply. As you can see in my reply just 10 minute before yours, I came to the same solution

Could you maybe create a Service Request for this as I don't have the permission?

maldehne · ‎03-05-2013

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud15241

cheers

patoberli · ‎03-05-2013

Thanks a lot

Seems the bug already was existing. I searched for tftp in bug toolkit, but didn't receive a result.

Scott Fella · ‎03-05-2013

So I use FTP so this doesn't really affect me. What patoberli I think was stating, is if this is something the Cisco needs to add to the iptables so that it isn't a manual process. Patoberli did find out what needs to be changed though but doesn't have a support contract to maybe follow up to have this added.

Sent from Cisco Technical Support iPhone App

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***