1. Home
  2. Cisco Systems
  3. TFTP from Pix problem

TFTP from Pix problem

Hello,

after the upgrade of our PIX515 to version 7.0.1(2) I am no longer able to do a "write net" to our tftp-server. The strange thing is this:

- from a similar pix (again 515, same software version) the tftp transfer is no problem.

- from the pix in question to a different tftp server the transfer is working all right.

- both pixen are able to ping to both tftp servers.

- the tftp file is created but then the pix reports a timeout (after quite some time).

- this problem pix is the only one having trouble with this tftp server.

- there is nothing rejected in the log.

The IP address of the main TFTP-server and the second one are in the same subnet and differ only in one bit. The IP address of the problem pix is in a different net. The same is true for the similar pix but this net is different from the one of the problem pix. Connection between the networks is done by a router. The relevant part of the config is this:

PIX Version 7.0(1)2 no names ! interface Ethernet1 nameif inside security-level 100 ip address 10.1.1.1 255.255.0.0 ! access-list 100 extended permit ip any any monitor-interface inside asdm history enable arp timeout 1800 nat-control nat (inside) 1 10.1.0.0 255.255.0.0 static (inside,outside) 192.129.30.0 192.129.30.0 netmask 255.255.255.0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.2.254 1 route inside 192.129.30.0 255.255.255.0 10.1.1.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute telnet 10.1.0.0 255.255.0.0 inside telnet 192.129.30.0 255.255.255.0 inside telnet timeout 30 ssh 192.129.30.0 255.255.255.0 inside ssh timeout 30 ssh version 1 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect sip inspect xdmcp inspect tftp policy-map global-policy class inspection_default ! service-policy global_policy global tftp-server inside 192.129.30.3 pix.config : end

So what could be wrong here?

Regards, Christoph Gartmann

Reply to
Christoph Gartmann
Loading thread data ...

[...]

Solved the problem. It was not related to the Pix but to the TFTP server. The latter had two IP addresses, the one used by the Pix and one in the same IP net as the Pix. So the TFTP server sent the acknowledgements with its secondary address :-(

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.