Wednesday, March 25, 2009

Live Problem and Solution

Yesterday one of my old students now working in Bangalore called me for a help. The problem is this. He needs to backup the configuration of a voice gateway router situated in UK to the PC in Bangalore. He started TFTP server in his PC accessed the router via telnet. While issuing the “copy running-config tftp” he got the error message says router 'can’t access the tftp server.'

See the mailed result

2851BR5A_01#copy running-config tftp:Address or name of remote host []? filename [2851br5a_01-confg]?Writing 2851br5a_01-confg%Error writing tftp://

Here the problem is in his path to TFTP server there may some firewalls blocking his TFTP traffic. Most of firewalls will block TFTP traffic (port 69) but allow FTP traffic. To confirm the problem we can traceroute to the TFTP port for that issue the command from privilege mode.

2851BR5A_01#traceroute port 69

Traceroute result of TFTP

2851BR5A_01#traceroute port 69
Type escape sequence to abort.Tracing the route to
1 0 msec 0 msec 0 msec 2 0 msec 0 msec 0 msec 3 4 msec 0 msec 0 msec 4 204 msec 204 msec 200 msec

Traceroute result of ftp

2851BR5A_01#traceroute port 20
Type escape sequence to abort.Tracing the route to
1 0 msec 0 msec 0 msec 2 0 msec 0 msec 0 msec 3 4 msec 0 msec 0 msec 4 204 msec 204 msec 200 msec 5 244 msec 296 msec 204 msec 6 296 msec 232 msec 296 msec 7 264 msec 348 msec 312 msec

(NOTE here tftp traffic is being dropped while ftp traffic is permitted by firewalls)

If we got message form the same ip like “ 264 msec 348 msec 312 msec” there is no filtration. But in this case the problem is with firewall.

The solution

There may be many solutions to this problem. Some solutions came into my mind I told him.

call his top level administrator and tell him to allow his TFPT traffic. (its not a good solutions since TFTP is not a secure protocol unlike FTP)
Use a FTP server instead of TFTP server
Use a TFTP server in the same LAN of the voice gateway or before the firewall.
Back up the Startup configuration file from NVRAM to Flash memory of the same router.

Solution 1 &3 doesn’t need much explanation

Explanation of solution 2

Down load and install a ftp server in local LAN in Chennai. Create one user in ftp application for example username is cisco with password cisco

In router create the same ftp user using the command

ip ftp username ciscoip ftp password 0 cisco

then issue the command “copy running-config ftp”
OR “copy running-config ftp://cisco:cisco@

Explanation solution 4
If we have enough flash size we can backup configuration in flash itself. In copy command if we didn’t specify destination location the default location is in flash.
We can use command “copy run configbackup” for this solution.
He used the second solution and now he using ftp instead of TFTP. Remember even if TFTP is faster than FTP its not secure.

Reneesh A
CICSO Faculty
IPSR Kochi

No comments:

Post a Comment