Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12134
Views
0
Helpful
6
Replies

TFTP port number not 69

Go to solution
hanwucisco
Level 1
Level 1

‎07-05-2013 01:50 PM - edited ‎03-11-2019 07:07 PM

we have a pair of ASA that are on the Zone1(x.x.33.100), and we have TFTP server(x.x.223.108) on the Inside Zone. Zones are seperated by a Checkpoint FW. When I generate a tftp traffic to copy running config to the tftp server from the ASAs, the Checkpoint show a redam port number like 33442 somthing, instead a UDP 69.

Can any of you tell me why it is not 69? The configuration on the ASAs regarding for the traffic are default.

thanks,

Han

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-05-2013 02:26 PM

TFTP uses a dynamic DATA-port, similar to FTP. Thats what this additional port should be in the Checkpoint-Log. If that traffic is denied, you have to enable TFTP-Inspection on the CheckPoint.


Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
6 Replies 6

Go to solution
hanwucisco
Level 1
Level 1

‎07-05-2013 01:52 PM

Just add a pic of the traffic on the checkpoint,

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎07-05-2013 02:26 PM

TFTP uses a dynamic DATA-port, similar to FTP. Thats what this additional port should be in the Checkpoint-Log. If that traffic is denied, you have to enable TFTP-Inspection on the CheckPoint.


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to Karsten Iwen

‎07-08-2013 06:11 AM

Karsten,

Our Checkpoint guy told me that the Inspection is enabled and this traffic is a "new initiation", meaning it is started to reach port 33442, instead of 69.

any idea?

thanks,

Han

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to hanwucisco

‎07-08-2013 06:30 AM

more ideas ...

1) is there a connection on UDP/69 directly before this UDP/33442 traffic is seen on the Checkpoint?

2) Look at your ASA log to see which traffic relates to your tftp-process to corelate that with the ChackPoint-Log.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to Karsten Iwen

‎07-08-2013 07:51 AM

Karsten,

No UDP/69 seen. The ASA logs look strange to me. I dont find any traffic in the log to destination of the TFTP server and there are a lot message as following,


%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse 
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to 
NAT reverse path failure.

thanks,

Han

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to hanwucisco

‎07-17-2013 10:09 AM

The reason is that someone had a typo on the ACL and we corrected. As to why this typo can make that kind of symtom, i have got myself understood yet.

but thanks,

Han

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card