- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: TFTP Not Working W CBAC for some reason posted 11/08/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

HI Jason,
I have not try CBAC with TFTP.
However pls be aware that TFTP is not only using UDP 69. UDP destination port
69 is only used in the first packets for clients to communicate with the TFTP
server. The server use random ports in the range > 1024 to communicate back to
Clients (also random port). So basically, if you use normal ACL to allow TFTP
traffic, you need to specify UDP port 69, and all UDP ports above 1024.
You can try "debug ip packet detail" and verify what ports are used by TFTP!
I am not sure if CBAC is intellegent enough to be able to detect that random
ports as belong to TFTP application. I doubt that. Maybe that's the reason for
the problem that you encountered.

--- On Sun, 11/9/08, Jason Madsen <madsen.jason@xxxxxxxxx> wrote:

From: Jason Madsen <madsen.jason@xxxxxxxxx>
Subject: TFTP Not Working W CBAC for some reason
To: "Cisco certification" <ccielab@xxxxxxxxxxxxxx>
Date: Sunday, November 9, 2008, 9:29 AM

Hello All,

...quick question.  There are quite a lot of CBAC options available to use,
but overall it's a pretty straightforward least that's
I've always thought and experienced until now.  For whatever reason(s) CBAC
doesn't seem to be allowing me to tftp.  Here's the basic config' I


tftp-server flash:test.txt

int f0/0
desc link to R0
ip add


int f0/0
desc link to R1
ip add
ip access-group 100 in
ip inspect TEST out

access-list 100 deny ip any any

ip inspect name TEST tcp router-traffic
ip inspect name TEST telnet
ip inspect name TEST tftp
ip inspect name TEST udp router-traffic
ip inspect name TEST icmp router-traffic

I am successfully able to telnet and ping to R1, but I can't get a file via
tftp.  i'm able to get a file via tftp just fine when ACL 100 is removed,
but I can't seem to get CBAC make an opening for it.  I do know that tftp
uses UDP (port 69) and i am using dynamips.  do you think it's possible
dynamips is too slow for CBAC to work with its default timers and such?
doesn't seem like it has anything to do with it to me...without ACL 100
applied, the file seems to transfer across very quickly.

debug ip inspect detail output when trying to tftp:

R0(config)#do copy tftp flash
Address or name of remote host []?
Source filename [test.txt]?
Destination filename [test.txt]?
Accessing tftp://
*Mar  1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
.1.1.1, src_port:55559, dst_tableid:0, dst_addr:, dst_port:69
%Error opening tftp:// (Timed out)

Here's an attempt with ACL 100 removed to validate tftp functionality:

R0(config-if)#do copy tftp flash
Address or name of remote host []?
Source filename [test.txt]?
Destination filename [test.txt]?
Accessing tftp://
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
Erase of flash: complete
Loading test.txt from (via FastEthernet0/0): !
[OK - 1670 bytes]

Verifying checksum...  OK (0x535)
1670 bytes copied in 1.356 secs (1232 bytes/sec)

any ideas?


Blogs and organic groups at

Subscription information may be found at: