ASA's have tftp server command, but not to CW

Unanswered Question
Mar 4th, 2009

LMS 2.6 / RME 4.0.6

We have a number of ASA's which have a tftp-server statement that points to an old tftp server. This blocks CW (at a different IP) from getting the config.

I've been asked about exactly how the configuration collection process works and haven't had much luck searching to find a process flow.

I gues what would help would be a break-down of a how CW will collect a config if:

1) The only protocol configured is tftp

2) If Telnet, ssh, and tftp protocols are enabled. (which is how we are currently set up)

Does RME send a "wr net" via snmp if it can't login? If SSH and telnet are the first protocols listed and they fail, will it still try to do a tftp only configuration collection?

If anyone knows of any in-depths URLS on that would really help.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Wed, 03/04/2009 - 11:34

1. This will not work as TFTP requires the ability to do an SNMP SET. SNMP read-write operations are not supported on the ASA, PIX, or FWSM.

2. If telnet or SSH are used then RME will perform a "show running-config" or "show startup-config" and scrape the data from the socket. TFTP will not be used at all.

RME will not use TFTP to get the config from ASA devices.

philip.r.hayes Wed, 03/04/2009 - 14:06

Thanks, that makes sense.

The description of the problem as shown in the "Failed" configuration collection list shows:

"Could not detect protocols running on the device TELNET: Failed to establish TELNET connection to - Cause: connect timed out."

So, maybe my question should be why I don't see that RME tried SSH. SSH is allowed and is at the top of the list for "transport protocol" under "Archive Mgmt".

Is this a bug? It seems to be trying telnet first (it's 2nd on the list) and then stopping any further attempts.

Joe Clarke Wed, 03/04/2009 - 15:07

The SSH error is the first error. More specific details as to why the SSH protocols could not be detected will be in the dcmaservice.log if ArchiveMgmt Service debugging is enabled.


This Discussion