PIX and TFTP on Red Hat 9

[Saeed42]

We used have TFTP server running on an old Suse machine and we decided to replace it with a new machine with Red Hat 9, now we have a small problem, the TFTP server seems to work ok with the routers but as soon as we try to backup pix configs we get the following error in the syslog "in.tftpd[9845]: tftpd: write(ack): Operation not permitted".

All the permissions are correct hence we can backup router configs on the same subnet to the server

More info

{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = nobody
server = /usr/sbin/in.tftpd
server_args = -sc /tftproot
per_source = 11
cps = 100 2
flags = IPv4
}


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[themut]

Do you have any ACLs on the PIX? I would advise you to check syslogs and try to determine if the PIX is denying that traffic and the reason why it is doing so.

 

[Saeed42]

This is the only line in the config that relates to the TFTP-server "tftp-server inside 10.10.10.10 pix" which never changed and worked fine with our old TFTP server.

judging from the error msg in the syslog it sounds like the new tftp-server doesn't like the write command that pix uses



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[themut]

Can you try to test with a different tftp server? If it works then for sure is your new tftp server.

 

[yizhar]

HI.

Can the pix and the new tftp server ping each other?

Can you read from the new tftp server? (for example, try reinstalling PDM on the pix and see how far it goes):
copy tftp flashdm



Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

 

[Saeed42]

All the firewalls see the Server as we use TACACS+ to authenticate ssh sessions from the same server, we also use the same server as Syslog server and the firewalls seem to have no problem logging to the remote syslog server, the server uses IPtables, which I disabled just to make but to no joy


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[yizhar]

HI.

Take a look:

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=tftp+linux+"Operation+not+permitted"

http://groups.google.com/groups?hl=...p+linux+"Operation+not+permitted"&sa=N&tab=wg

Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

 

[swj38]

Have you got TCP wrappers on the Red Hat box?

You may need to check the hostallow statements on the Red Hat box as it's letting in the router but not the pix.

It'll be in you /etc/hostallow file I think.


Hope this helps

 

[Saeed42]

We have the TCP wrappers enabled and they are allowing tacacs+, NTP, syslog and tftp for our range. The strange thing is to login into the firewall I have to be authenticated by the same server that is running the tftp server and that works like a charm, but as soon as we try to backup the config file it gives me the above message.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~