TFTP Help

waymorr · March 2008

Hi I just started a new job a while ago and discoverd that none of the switches had their running config's saved. There are about 20 switches and I have managed to telnet and copy the running config's of about 15 of them to the TFTP server. The problem I am having is that on the remaining switches I am getting the following message:

error code 2 Access denied.

Now I can ping the TFTP server from the switches and I know the TFTP server is set up correct as all the other switches have worked OK!

I compared the running config of a switch that worked to one that doesn't and I can't see any difference between the two.

All the switches are 2950's and running the same IOS version

If anybody has any ideas it would be much appreciated!

Paul Boz · March 2008

TFTP doesn't support authentication so it's more than likely an end-client issue. Have you double-checked that you have write access to the TFTP server still? are you over-writing existing files with the same filename?

this is taken from the TFTP manpages included in Solaris Unix:

Because there is no user-login or validation within the TFTP
protocol, the remote site will probably have some sort of
file-access restrictions in place. The exact methods are
specific to each site and therefore dif ficult to document here.

APA · March 2008

I know with certain tftp programs you have the ability to filter out specific address ranges, maybe that's what you're experiencing?

Are the switches that are getting the access error on a different subnet by any chance?

I really need a keyboard for my ps3, this is the first message I've typed via it.....................painful is a major understatement!!!!!!!!!!!

waymorr · March 2008

Hi thanks for the quick replies I have checked that I still have write acccess to the server and I am not trying to write over an existing file.
Also all the switches are in the same vlan
This has really got me stumped I know I can console into them and capture the run config but I would like to figure out why it doesn't work with these 5 switches.

Paul Boz · March 2008

Perhaps they have permission levels established on the router and the profile you're accessing the router from disallows TFTP? It's a stretch but that's a possibility.

Have you tried using a TFTP server (something simple like Solar Winds) on a switchport directly plugged into the switch? I know it's not your preferred final method of doing backups but it will at least tell you if you've got a local issue.

Rearden · March 2008

On some Linux systems that I've used tftp on, the file has to exist on the server before you can copy the file to it. It wouldn't create a new file if it wasn't there already. Not sure if those were weird implementations or if that's the norm.

Also, check filesystem level permissions. Often, the tftp daemon runs as a very low privileged user.

In short, if you're on a *nix system, do the following (usually tfpt uses /tftpboot as it's root directory. It's not quite a chroot, but close enough. The daemon often runs as root, which is why you'll have to change the permissions )

Server ~ # cd /tftpboot
Server tftpboot # touch <name of file you'll want>
Server tftpboot # chmod 666 <name of file you'll want>

tftpd has the -c option to allow file creation, and a -u option to allow running as another user.

Those are the most obvious things I can think of from a sysadmin perspective.

TFTP Help

Comments