TFTP problem via ASA 7.2(4)

london.ism · ‎03-05-2010

Hi everyone

I have a tftp server on my local network and devices based on remote sites. Between the two networks I have a firewall, ASA 7.2(4), routers and a MPLS VPN network. When the devices try to pull the image from the tftp server, the connection times out (on a sniffer I can see packets with error code: unkown transfer ID). I have tftp inspect rule set up, but doesn't seem to have solved the problem. Anyone any ideas?

Kureli Sankar · ‎03-05-2010

Since tftp uses udp it is best effort only. I'd suggest using a PC local to where ever you need it and not let the traffic traverse multiple layer 3 devices which may also be NAT devices. ASA firewall (if address translation happens) may drop these packets if you do not have inspect tftp.

You need to provide static address translation for this tftp server IP address.

- check the syslogs on the ASA

- collect captures on the ASA

- captues on the tftp server itself

- make sure tftp works locally in the segment where tftp server is located.

- make sure tftp works from the host right outside the ASA.

- You just have to go one hop away and keep testing until it fails and determine why it fails.

You can refer this link for error codes: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080093f14.shtml

-KS

london.ism · ‎03-08-2010

Hi

I think I've come to the bottom of this, though I still don't have a solution. Basically what happens is that the TFTP data blocks of packets are big, the client sends another ACK0 with different transfer ids, unknown to the TFTP server which triggers a code error 5 and closes the connection.

The packets carry 1496 bytes of data and have to traverse IPsec GRE tunnels before reaching the destination. Any ideas on how I could speed this up?