Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

IP Phone cannot download required file from TFTP | Analog1.raw] error - Access denied

 
Symptom:
IP Phone cannot download required file from TFTP
 
For example: Ringlist.xml | Analog1.raw | Analog2.raw etc...
 
 
Conditions can be:
  • After the M1 migration with UCMAP, permission for TFTP file has changed
  • Upgraded CUCM Version (Major Upgrade)

 

Workaround:
Has to change the permission manually from the root account
!! Contact Cisco TAC to enable root account to troubleshoot this issue
 
:: Truncated Error Message ::
 
file[/usr/local/cm/tftp/Ringlist.xml] error - Access denied
00003420.000 |16:28:23.962 |AppInfo  |CReqContext::validateAccess()[0xf51c4788~270~172.18.14.109~1223] file[/usr/local/cm/tftp/Analog1.raw] error - Access denied
00003424.000 |16:28:44.097 |AppInfo  |CReqContext::validateAccess()[0xf51c5168~271~172.18.14.109~1224] file[/usr/local/cm/tftp/Analog2.raw] error - Access denied
00003426.000 |16:28:54.523 |AppInfo  |CReqContext::validateAccess()[0xf51c5b48~272~172.18.14.109~1225] file[/usr/local/cm/tftp/AreYouThereF.raw] error - Access denied
 
 
How to identify this issue
  • Either collect TFTP Logs from CCM via RTMT or hit file tail command to check this behavior in real time
!! you can refer these 2 URLs to understand the meaning of file tail command:
 
  1. file tail reference guide 1
  2. file tail reference guide 2

 

FYI:
 
!! Collected TFTP traces using CLI in real time
 
 
!! truncated TFTP logs output below
    Line 759: 00000525.000 |11:45:38.203 |AppInfo  |CReqContext::validateAccess()[0xf51249e8~11~172.18.14.109~1046] file[/usr/local/cm/tftp/Ringlist.xml] error - Access denied
Line 759: 00000525.000 |11:45:38.203 |AppInfo  |CReqContext::validateAccess()[0xf51249e8~11~172.18.14.109~1046] file[/usr/local/cm/tftp/Ringlist.xml] error - Access denied
Line 1597: 00001138.000 |12:05:21.920 |AppInfo  |CReqContext::validateAccess()[0xf512f1c8~28~172.18.14.109~1101] file[/usr/local/cm/tftp/Ringlist.xml] error - Access denied
Line 1597: 00001138.000 |12:05:21.920 |AppInfo  |CReqContext::validateAccess()[0xf512f1c8~28~172.18.14.109~1101] file[/usr/local/cm/tftp/Ringlist.xml] error - Access denied
Line 1604: 00001145.000 |12:07:13.027 |AppInfo  |CReqContext::validateAccess()[0xf512fba8~29~172.18.14.34~1295] file[/usr/local/cm/tftp/Ringlist.xml] error - Access denied
Line 1604: 00001145.000 |12:07:13.027 |AppInfo  |CReqContext::validateAccess()[0xf512fba8~29~172.18.14.34~1295] file[/usr/local/cm/tftp/Ringlist.xml] error - Access denied
Line 1655: 00001184.000 |12:09:20.191 |AppInfo  |CReqContext::validateAccess()[0xf513a388~46~172.18.14.35~1505] file[/usr/local/cm/tftp/Ring6.raw] error - Access denied
Line 1655: 00001184.000 |12:09:20.191 |AppInfo  |CReqContext::validateAccess()[0xf513a388~46~172.18.14.35~1505] file[/usr/local/cm/tftp/Ring6.raw] error - Access denied
Line 1676: 00001201.000 |12:10:20.006 |AppInfo  |CReqContext::validateAccess()[0xf5142dc8~60~172.18.14.35~1511] file[/usr/local/cm/tftp/Ring6.raw] error - Access denied
Line 1676: 00001201.000 |12:10:20.006 |AppInfo  |CReqContext::validateAccess()[0xf5142dc8~60~172.18.14.35~1511] file[/usr/local/cm/tftp/Ring6.raw] error - Access denied
Line 1718: 00001240.000 |12:17:21.004 |AppInfo  |CReqContext::validateAccess()[0xf5145f28~65~172.18.14.35~1520] file[/usr/local/cm/tftp/Ring6.raw] error - Access denied
Line 1718: 00001240.000 |12:17:21.004 |AppInfo  |CReqContext::validateAccess()[0xf5145f28~65~172.18.14.35~1520] file[/usr/local/cm/tftp/Ring6.raw] error - Access denied
Line 2180: 00001690.000 |13:54:40.749 |AppInfo  |CReqContext::validateAccess()[0xf516e108~130~172.18.14.35~1037] file[/usr/local/cm/tftp/Ring6.raw] error - Access denied
Line 2180: 00001690.000 |13:54:40.749 |AppInfo  |CReqContext::validateAccess()[0xf516e108~130~172.18.14.35~1037] file[/usr/local/cm/tftp/Ring6.raw] error - Access denied
 
 
  • It's a defect/Software Bug & here is the Bug ID: CSCui42799
 
 
 
  • Description
 
After the M1 migration with UCMAP, permission for TFTP file has changed at which some files are
Assigned to the incorrect owner and an incorrect group, as shown below:
 
(NON-Working)
Ringlist.xml in your system :
-rwxrwx---. 1 adminsftp download      2657 Apr  2  2008 Ringlist.xml
 
(Working)
Ringlist.xml in our lab :
-rwxrwx--- 1 ctftp    ccmbase            2657 Apr  2  2008 Ringlist.xml
 
  • Permissions are the same, but the owner and the access group are different.
 
  • Accessing the root and modifying the owner has fixed the issue.
 
Hit the following command to correct the ownership | changed the permissions:
 
!! enabled Root Account & then assigned the correct permission to the end files
!! where xxx represents the given permission
 
Chmod xxx /usr/local/cm/tftp/Ringlist.xml
 
Chmod xxx /usr/local/cm/tftp/DistinctiveRingList.xml 
 
Chmod xxx /usr/local/cm/tftp/*.raw
 
 
You may contact me on mogrover@cisco.com for further information on this or contact Cisco TAC
 
Comments
Purple

Hi Mohit,

 

thanks for sharing[+5].

In the last , u have mentioned about changing permissions but we need to change the owner since that gets changed.

regds,

aman

Does this also affect other files on the TFTP server directories?  Things like phone backgrounds?  

Could this problem be fixed by downloading the file, and then re uploading it (overwriting what's there)?

Cisco Employee

Does this also affect other files on the TFTP server directories?  Things like phone backgrounds?  

A: I don't think so & if it does now you know what to do :)


Could this problem be fixed by downloading the file, and then re uploading it (overwriting what's there)?

A: can't simulate this issue again in my lab, anyway feel free to try it out.

Cisco Employee

Hi Aman,

 

either you change the owner or the permissions, both methods should work (recommendation is to change the owner since that gets changed)

 

HTH

We have actually confirmed that it DOES.

 

Be nice if Cisco would just put out a COP that would reset all the permissions and owners in the TFTP directories recursively.  As is, we're wading through the queue with Cisco TAC (this is a production system, and while we could hack it for access, I don't like doing that on production systems).

Cisco Employee

without root access, you can't change the permissions, you have to have TAC on the phone to check the behavior (TFTP Traces) & take appropriate action.

 

if needed TAC can generate root account & troubleshoot it accordingly.

 

Cisco Employee

?? Be nice if Cisco would just put out a COP that would reset all the permissions and owners in the TFTP directories recursively ?

 

Did I mention you go ahead & change the permission right away in your production network, it's a sure thing that I was talking about lab environment & as I have mentioned in my previous comment, only TAC has the privilege to generate root account & make appropriate changes to get the system working.

No, you didn't say anything like that, and I didn't mean to imply that you did if it came across that way.  I'm simply observing and commenting.  We do have a case open and are awaiting a call back from TAC on this now.

 

Thanks for your help.

Cisco Employee

 

no worries, email me the SR number, I will check the case.

>

mogrover@cisco.com

732
Views
5
Helpful
9
Comments