Elemental12
asked on
tftp fails from Cisco ASA to Red Hat Linux Server
HI,
I have a Cisco ASA 5520 running 8.4(2). I am trying to tftp the running config to a RHEL server. The tftp software is up and running, as another ASA can send it's config right to it. SELinux is not on, nor is iptables. I have checked the permissions, and they are set to 777 on the directory as well as the file. The file exists as I touched it first. The ASA can ping the RHEL server, and the RHEL server can ping the ASA. I checked the intermediary firewall between the boxes, and I see no failures at all. Any ideas ?
Thanks in advance
I have a Cisco ASA 5520 running 8.4(2). I am trying to tftp the running config to a RHEL server. The tftp software is up and running, as another ASA can send it's config right to it. SELinux is not on, nor is iptables. I have checked the permissions, and they are set to 777 on the directory as well as the file. The file exists as I touched it first. The ASA can ping the RHEL server, and the RHEL server can ping the ASA. I checked the intermediary firewall between the boxes, and I see no failures at all. Any ideas ?
Thanks in advance
John Meggers
What message are you getting? I would have guessed permissions but you've already checked that.
Ping is another thing from tftp so doublecheck firewall rules.
Also check /etc/hosts.allow because it xinetd and it is ancient. :)
Also check /etc/hosts.allow because it xinetd and it is ancient. :)
ASKER
The error is
Error writing tftp://IPADDRESS/FILENAME;int=private (TImed out attempting to connect).
Pinging works in both directions. Hosts.allow file is empty, it does not have the ASA that is not working, nor does it have the ASA that is working.
This server has a Natted IP address of an old server that used to work fine with TFTP. So there should not be any firewall rules to change because this new server, in essence has the NAT IP of the old server.
IE, original server was 1.1.1.1, new server is 1.1.1.2. So we Nated that anything out of 1.1.1.2 look like 1.1.1.1, and anything to 1.1.1.1, send it to 1.1.1.2
Thanks
Error writing tftp://IPADDRESS/FILENAME;int=private (TImed out attempting to connect).
Pinging works in both directions. Hosts.allow file is empty, it does not have the ASA that is not working, nor does it have the ASA that is working.
This server has a Natted IP address of an old server that used to work fine with TFTP. So there should not be any firewall rules to change because this new server, in essence has the NAT IP of the old server.
IE, original server was 1.1.1.1, new server is 1.1.1.2. So we Nated that anything out of 1.1.1.2 look like 1.1.1.1, and anything to 1.1.1.1, send it to 1.1.1.2
Thanks
OK. If the server is OK and we assume it is because other ASAs work, that still leaves us with a few places where things might have gone wrong.
Now, I suspect that NAT. On what kind of device was it configured?
Check this if it is ASA or PIX http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml#maintask2
Also please check this http://www.winagents.com/en/solutions/tftp-over-firewall.php
Probably, ASA that do work do not pass through some firewall or NAT.
Also, try issue inspect tftp on every relevant cisco device.
Now, I suspect that NAT. On what kind of device was it configured?
Check this if it is ASA or PIX http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml#maintask2
Also please check this http://www.winagents.com/en/solutions/tftp-over-firewall.php
Probably, ASA that do work do not pass through some firewall or NAT.
Also, try issue inspect tftp on every relevant cisco device.
ASKER
The old server was a physical RHEL box. THe new one is a RHEL VM. The ASA does not do the natting. I have a checkpoint firewall that is the default gateway for the ASA as well as the RHEL machines, and it is the one doing the natting.
I will take a look at your two URLs, but if anyone else has ideas, please let me know...
I will take a look at your two URLs, but if anyone else has ideas, please let me know...
Do you have any logs in Checkpoint SmartView Tracker? Try to have one exact rule with tftp and to log it.
Use Tracker to find the log and to see is there any problems. Do other ASAs (that do work) go through checkpoint?
Use Tracker to find the log and to see is there any problems. Do other ASAs (that do work) go through checkpoint?
ASKER
yup, they all go through the check point. I log all failures, and I am seeing nothing show up in the tracker when I attempt the TFTP. Weird thing is, I get like 5 !!!!!! before it says timed out.
I don't get this "I log all failures". Where do you log failures?
If there is a log rule you will see it. So try to make one. Be carfull not to put your new rule somewhere behind some other rule that is not logged. So make th rule like this and put it somewhere high enough in checkpoint stack of rules.
source:ASA destination:internal address of tftp server (objects real address) accept and log.
If there is a log rule you will see it. So try to make one. Be carfull not to put your new rule somewhere behind some other rule that is not logged. So make th rule like this and put it somewhere high enough in checkpoint stack of rules.
source:ASA destination:internal address of tftp server (objects real address) accept and log.
ASKER
On the checkpoint firewall, you can choose to log accepts and denies or not to log them. I log all failures, so if you do not see an entry in the tracker, that means it passed.
I am not seeing any failures in the firewall meaning that traffic is traversing the firewall without being blocked/denied.
I am not seeing any failures in the firewall meaning that traffic is traversing the firewall without being blocked/denied.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You are correct that it could also mean that the traffic is not getting to the firewall in the first place, except that ping is working, which would make me thing that the route is ok. Going to work on making a rule for this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It seems to me that my answer was correct so ...
At least helpful ;)
At least helpful ;)
We lost a good deal of time to establish this fact. I would like elemental12 to reconsider giving me a few points for this.
I was suspecting this kind of problem and were going towards solution so...
I was suspecting this kind of problem and were going towards solution so...