I have a tftp server on my local network and devices based on remote sites. Between the two networks I have a firewall, ASA 7.2(4), routers and a MPLS VPN network. When the devices try to pull the image from the tftp server, the connection times out (on a sniffer I can see packets with error code: unkown transfer ID). I have tftp inspect rule set up, but doesn't seem to have solved the problem. Anyone any ideas?
Since tftp uses udp it is best effort only. I'd suggest using a PC local to where ever you need it and not let the traffic traverse multiple layer 3 devices which may also be NAT devices. ASA firewall (if address translation happens) may drop these packets if you do not have inspect tftp.
You need to provide static address translation for this tftp server IP address.
- check the syslogs on the ASA
- collect captures on the ASA
- captues on the tftp server itself
- make sure tftp works locally in the segment where tftp server is located.
- make sure tftp works from the host right outside the ASA.
- You just have to go one hop away and keep testing until it fails and determine why it fails.
I think I've come to the bottom of this, though I still don't have a solution. Basically what happens is that the TFTP data blocks of packets are big, the client sends another ACK0 with different transfer ids, unknown to the TFTP server which triggers a code error 5 and closes the connection.
The packets carry 1496 bytes of data and have to traverse IPsec GRE tunnels before reaching the destination. Any ideas on how I could speed this up?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :