TFTP Help

waymorr

Hi I just started a new job a while ago and discoverd that none of the switches had their running config's saved. There are about 20 switches and I have managed to telnet and copy the running config's of about 15 of them to the TFTP server. The problem I am having is that on the remaining switches I am getting the following message:

error code 2 Access denied.

Now I can ping the TFTP server from the switches and I know the TFTP server is set up correct as all the other switches have worked OK!

I compared the running config of a switch that worked to one that doesn't and I can't see any difference between the two.

All the switches are 2950's and running the same IOS version

If anybody has any ideas it would be much appreciated!

Paul Boz

TFTP doesn't support authentication so it's more than likely an end-client issue. Have you double-checked that you have write access to the TFTP server still? are you over-writing existing files with the same filename?

this is taken from the TFTP manpages included in Solaris Unix:

Because there is no user-login or validation within the TFTP
protocol, the remote site will probably have some sort of
file-access restrictions in place. The exact methods are
specific to each site and therefore dif ficult to document here.

APA

I know with certain tftp programs you have the ability to filter out specific address ranges, maybe that's what you're experiencing?

Are the switches that are getting the access error on a different subnet by any chance?

I really need a keyboard for my ps3, this is the first message I've typed via it.....................painful is a major understatement!!!!!!!!!!!

waymorr

Hi thanks for the quick replies I have checked that I still have write acccess to the server and I am not trying to write over an existing file.
Also all the switches are in the same vlan
This has really got me stumped I know I can console into them and capture the run config but I would like to figure out why it doesn't work with these 5 switches.

Paul Boz

Perhaps they have permission levels established on the router and the profile you're accessing the router from disallows TFTP? It's a stretch but that's a possibility.

Have you tried using a TFTP server (something simple like Solar Winds) on a switchport directly plugged into the switch? I know it's not your preferred final method of doing backups but it will at least tell you if you've got a local issue.

Rearden

On some Linux systems that I've used tftp on, the file has to exist on the server before you can copy the file to it. It wouldn't create a new file if it wasn't there already. Not sure if those were weird implementations or if that's the norm.

Also, check filesystem level permissions. Often, the tftp daemon runs as a very low privileged user.

In short, if you're on a *nix system, do the following (usually tfpt uses /tftpboot as it's root directory. It's not quite a chroot, but close enough. The daemon often runs as root, which is why you'll have to change the permissions )

Server ~ # cd /tftpboot
Server tftpboot # touch <name of file you'll want>
Server tftpboot # chmod 666 <name of file you'll want>

tftpd has the -c option to allow file creation, and a -u option to allow running as another user.

Those are the most obvious things I can think of from a sysadmin perspective.