waymorrwaymorr Member Posts: 29 ■□□□□□□□□□
Hi I just started a new job a while ago and discoverd that none of the switches had their running config's saved. There are about 20 switches and I have managed to telnet and copy the running config's of about 15 of them to the TFTP server. The problem I am having is that on the remaining switches I am getting the following message:

error code 2 Access denied.

Now I can ping the TFTP server from the switches and I know the TFTP server is set up correct as all the other switches have worked OK!

I compared the running config of a switch that worked to one that doesn't and I can't see any difference between the two.

All the switches are 2950's and running the same IOS version

If anybody has any ideas it would be much appreciated!


  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    TFTP doesn't support authentication so it's more than likely an end-client issue. Have you double-checked that you have write access to the TFTP server still? are you over-writing existing files with the same filename?

    this is taken from the TFTP manpages included in Solaris Unix:
    Because there is no user-login or validation within the TFTP
    protocol, the remote site will probably have some sort of
    file-access restrictions in place. The exact methods are
    specific to each site and therefore dif ficult to document here.
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
  • APAAPA Member Posts: 959
    I know with certain tftp programs you have the ability to filter out specific address ranges, maybe that's what you're experiencing?

    Are the switches that are getting the access error on a different subnet by any chance? :)

    I really need a keyboard for my ps3, this is the first message I've typed via it.....................painful is a major understatement!!!!!!!!!!! :D

    CCNA | CCNA:Security | CCNP | CCIP
  • waymorrwaymorr Member Posts: 29 ■□□□□□□□□□
    Hi thanks for the quick replies I have checked that I still have write acccess to the server and I am not trying to write over an existing file.
    Also all the switches are in the same vlan
    This has really got me stumped I know I can console into them and capture the run config but I would like to figure out why it doesn't work with these 5 switches.
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    Perhaps they have permission levels established on the router and the profile you're accessing the router from disallows TFTP? It's a stretch but that's a possibility.

    Have you tried using a TFTP server (something simple like Solar Winds) on a switchport directly plugged into the switch? I know it's not your preferred final method of doing backups but it will at least tell you if you've got a local issue.
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
  • ReardenRearden Member Posts: 222
    On some Linux systems that I've used tftp on, the file has to exist on the server before you can copy the file to it. It wouldn't create a new file if it wasn't there already. Not sure if those were weird implementations or if that's the norm.

    Also, check filesystem level permissions. Often, the tftp daemon runs as a very low privileged user.

    In short, if you're on a *nix system, do the following (usually tfpt uses /tftpboot as it's root directory. It's not quite a chroot, but close enough. The daemon often runs as root, which is why you'll have to change the permissions )
    Server ~ # cd /tftpboot
    Server tftpboot # touch <name of file you'll want>
    Server tftpboot # chmod 666 <name of file you'll want>

    tftpd has the -c option to allow file creation, and a -u option to allow running as another user.

    Those are the most obvious things I can think of from a sysadmin perspective.
    More systems have been wiped out by admins than any cracker could do in a lifetime.
Sign In or Register to comment.