Yesterday one of my old students now working in Bangalore called me for a help. The problem is this. He needs to backup the configuration of a voice gateway router situated in UK to the PC in Bangalore. He started TFTP server in his PC accessed the router via telnet. While issuing the “copy running-config tftp” he got the error message says router 'can’t access the tftp server.'
See the mailed result
2851BR5A_01#copy running-config tftp:Address or name of remote host []? 25.91.170.125Destination filename [2851br5a_01-confg]?Writing 2851br5a_01-confg%Error writing tftp://10.91.170.157/2851br5a_01-confg
Here the problem is in his path to TFTP server there may some firewalls blocking his TFTP traffic. Most of firewalls will block TFTP traffic (port 69) but allow FTP traffic. To confirm the problem we can traceroute to the TFTP port for that issue the command from privilege mode.
2851BR5A_01#traceroute 25.91.170.125 port 69
Traceroute result of TFTP
2851BR5A_01#traceroute 25.91.170.125 port 69
Type escape sequence to abort.Tracing the route to 25.91.170.125
1 25.255.120.19 0 msec 0 msec 0 msec 2 25.255.127.75 0 msec 0 msec 0 msec 3 25.216.58.89 4 msec 0 msec 0 msec 4 25.212.37.93 204 msec 204 msec 200 msec
*
*
Traceroute result of ftp
2851BR5A_01#traceroute 25.91.170.125 port 20
Type escape sequence to abort.Tracing the route to 25.91.170.125
1 25.255.120.19 0 msec 0 msec 0 msec 2 25.255.127.75 0 msec 0 msec 0 msec 3 25.216.58.89 4 msec 0 msec 0 msec 4 25.212.37.93 204 msec 204 msec 200 msec 5 25.212.37.94 244 msec 296 msec 204 msec 6 25.91.160.5 296 msec 232 msec 296 msec 7 25.91.170.125 264 msec 348 msec 312 msec
(NOTE here tftp traffic is being dropped while ftp traffic is permitted by firewalls)
If we got message form the same ip like “25.91.170.125 264 msec 348 msec 312 msec” there is no filtration. But in this case the problem is with firewall.
The solution
There may be many solutions to this problem. Some solutions came into my mind I told him.
call his top level administrator and tell him to allow his TFPT traffic. (its not a good solutions since TFTP is not a secure protocol unlike FTP)
Use a FTP server instead of TFTP server
Use a TFTP server in the same LAN of the voice gateway or before the firewall.
Back up the Startup configuration file from NVRAM to Flash memory of the same router.
Solution 1 &3 doesn’t need much explanation
Explanation of solution 2
Down load and install a ftp server in local LAN in Chennai. Create one user in ftp application for example username is cisco with password cisco
In router create the same ftp user using the command
ip ftp username ciscoip ftp password 0 cisco
then issue the command “copy running-config ftp”
OR “copy running-config ftp://cisco:cisco@10.91.170.157/”
Explanation solution 4
If we have enough flash size we can backup configuration in flash itself. In copy command if we didn’t specify destination location the default location is in flash.
We can use command “copy run configbackup” for this solution.
He used the second solution and now he using ftp instead of TFTP. Remember even if TFTP is faster than FTP its not secure.
Reneesh A
CICSO Faculty
IPSR Kochi
No comments:
Post a Comment