Solved

Problem with two Cisco switches to save the configuration by tftp

Posted on 2014-12-15
15
94 Views
Last Modified: 2015-06-09
Hi,
we have a vlan containing all switch management interfaces. I can save all configurations by tftp apart from two C2960-12 with IOS 15 running. All other switches have a IOS 12.2.. When being connected to these two switches, I can't ping the tftp server, but I can ping other servers in the same network segment as the tftp server. I can ping the tftp server from all other switches. The tftp server debugging shows no connection from these two switches. A bit odd. Is there a way to debug the way of the tftp packets through the LAN? They have to pass other switches, as they are cascaded.

Thanks in advance

Olaf
0
Comment
Question by:olaf_joerk
  • 6
  • 4
  • 4
  • +1
15 Comments
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
I can't ping the tftp server, but I can ping other servers in the same network segment as the tftp server. I can ping the tftp server from all other switches. The tftp server debugging shows no connection from these two switches.

If you can't ping the TFTP server then there's not going to be any attempt to transfer data.  Assuming that no ACL's are in place.

So the first task is to determine the connectivity problem.  Is the switch management interface on the same network as the TFTP server?  Or do you have to get routed between the two?
0
 

Author Comment

by:olaf_joerk
Comment Utility
Hi Don,
the management interfaces are in a 192.168.50.0/24 subnet. The servers are in a 10.91.200.0/22 subnet. The core switch has routing functionality. I can ping servers in the server subnet but not the tftp server. I checked also the firewall. No difference if switched on or off. The core switch has no vlan ACLs.

Thanks for your help.

Olaf
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
If no ACL is involved, my first thought is physical connection, then ARP cache.

I wouldn't rule out ACL though

When being connected to these two switches, I can't ping the tftp server,

I need more clarity here. Is it the TFTP server that is connected to the switch or PC. Please sketch a simple topology diagram and post
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
There could be an ACL on the core switch.  
There could be a firewall on the server blocking the traffic.

Can the server ping its default gateway?
Can the the server ping core switch SVI on the 192.168.50.0 network?
0
 

Author Comment

by:olaf_joerk
Comment Utility
Hi,
I attach a scheme to explain more in detail, what I mean. My tftp server can ping everything except Switch202 and 203. TS1 can ping all switches. Both TFTP and TS1 reside on the same ESX host using the same distributed vSwitch. Switch202/203 can't ping TFTP but can ping TS1 and all the switches on the path. Same with tftp client. There must be something special with TS1 or with Switch202/203? But what?

Regards

Olaf
0
 

Author Comment

by:olaf_joerk
Comment Utility
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
Ok
We're getting closer.
I'm suspecting a route issue or connection issue on Switch 201.

Post the result of show ip route on the core switch
you may need to configure single host routes on the core switch or switch 201 for 202 and 203, but let's identify the bottleneck first.
Also, are switches 202 and 203 connected to trunk ports on 201?

On 202 and 203, run both traceroute 10.91.200.2 and traceroute 10.91.200.2
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
My tftp server can ping everything except Switch202 and 203. TS1 can ping all switches

This would indicate that traffic can flow from the server network to all switches.

So I'm going with an ACL either on the core switch, switch 201 or the switch between the core and the vswtch.
0
 

Author Comment

by:olaf_joerk
Comment Utility
Hi,
that's what I can do from TS1:

C:\Users\TEMP>tracert switch203
Tracing route to switch203.domain [192.168.50.x] over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.91.203.254 (that's the core switch)
  2     2 ms     1 ms     1 ms  switch203.domain [192.168.50.x]

Trace complete.

From TFTP it looks like:
C:\Users\administrator.ENAS>tracert switch203
Tracing route to switch203.domain [192.168.50.x] over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.91.203.254 (that's the core switch)
  2    *    *     ^C  --> time out

I switched on the ICMP debugging at switch201. But I can see only packet with the switch itself as destination, like:

4005173: Dec 18 13:24:41: ICMP: echo reply sent, src 192.168.91.65, dst 192.168.91.85
:
4005177: Dec 18 13:24:41: ICMP: echo reply sent, src 192.168.91.65, dst 192.168.91.85

There are no ACLs between the VLANs at the core switch and no ACLs on the other switches.

Is it possible to use RSPAN to watch the packet going through the switches?

Thanks
Olaf
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
It looks like ACL but it could still be route related.
I'm suspecting a NULL route issue if it is not ACL or firewall related

How about the route info from the core switch and a traceroute from the switches to the tftp

Post the result of show ip route on the core switch
On 202 and 203, run both traceroute 10.91.200.1 and traceroute 10.91.200.2
0
 

Author Comment

by:olaf_joerk
Comment Utility
Here it is:

Switch203#traceroute ts1
Translating "ts1"...domain server (10.91.200.10) [OK]
i
Type escape sequence to abort.
Tracing the route to ts1.domain (10.91.200.1)
VRF info: (vrf in name/id, vrf out name/id)
  1 coreswitch.domain (192.168.50.254) 8 msec 9 msec 0 msec
  2  *  *  *
  3  *

Switch203#ping ts1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.91.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Switch203#traceroute tftp
Translating "tftp".domain server (10.91.200.2) [OK]
i
Type escape sequence to abort.
Tracing the route to tftp.domain (10.91.200.2)
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2  *
Switch203#ping tftp
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.91.200.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Core Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
:
Gateway of last resort is 153.x.x.x to network 0.0.0.0
     153.96.0.0/24 is subnetted, 1 subnets
:
C    192.168.50.0/24 is directly connected, Vlan200
     10.0.0.0/8 is variably subnetted, 16 subnets, 3 masks
:
C       10.91.200.0/22 is directly connected, Vlan208
S*   0.0.0.0/0 [1/0] via 153.x.x.x

To be honest, it makes no sense to me ... A bit to odd.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Behaves just like it would if there was an ACL somewhere in between.

The core switch only has two routes??? How is your default route working if you don't have a connection to the 153.x.x.x?
0
 

Author Comment

by:olaf_joerk
Comment Utility
I shortened the output of the routing table. I left the routes to the considered networks and the default route. The default route points to a perimeter router/firewall. If this connection is down, we have no internet access but the internal networks are still reachable.

Is there a way to debug the ping or tftp packets on their way across the network? We are using Cisco IOS switches. One should see on which switch the packets will be blocked, shouldn't one?
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
A packet capture like Wireshark may be helpful.

The route seem okay, meaning there is some filtering happening somewhere.
If possible, swap the cable connections between the TFTP servers (either on the switch or the NIC if the servers are close to each other). Let's see if the problem travels with the connection
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
your IP default-gateway for switch 202 and 203 is wrong.  It should be your management network gateway.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Broadband over Power Lines Broadband over Power Lines is the technology of transmitting computer data through power lines. This method of connectivity allows the user to have access to the internet without having to rely on additional cables, suc…
 One of the main issues with network wires is that you never have enough.  You run plenty and plan for the worst case but you still end up needing more.  What many people do not realize is with 10BaseT and 100BaseT (but not 1000BaseT) networks you …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now