Re: TFTP Not Working W CBAC for some reason

From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Nov 08 2008 - 23:26:44 ARST

• Next message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Previous message: Bob Sinclair: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Next in thread: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Debug output...probably more detail than many folks are interested in. To
me it looks as though CBAC "sees" the TFTP and "Passes" at Layer 4 and Layer
7 and creates a session. For whatever reason the buck seems to stop there.

R1#
*Mar 1 01:05:57.963: CBAC* Pak 6518D0C0 Find session for (0:2.2.2.12:52968)
(0:
1.1.1.10:69) udp
*Mar 1 01:05:57.963: CBAC* sis not found
*Mar 1 01:05:57.963: CBAC: Finding pregen session for src_tableid:0,
src_addr:2
.2.2.12, src_port:52968, dst_tableid:0, dst_addr:1.1.1.10, dst_port:69
*Mar 1 01:05:57.963: CBAC* Pak 6518D0C0 Find session for (0:2.2.2.12:52968)
(0:
1.1.1.10:69) udp
*Mar 1 01:05:57.967: CBAC* sis not found
*Mar 1 01:05:57.967: CBAC: Finding pregen session for src_tableid:0,
src_addr:2
.2.2.12, src_port:52968, dst_tableid:0, dst_addr:1.1.1.10, dst_port:69
*Mar 1 01:05:57.971: CBAC Pak 65444A88 Find session for (0:2.2.2.12:52968)
(0:1
.1.1.10:69) udp
*Mar 1 01:05:57.971: CBAC sis not found
*Mar 1 01:05:57.971: CBAC: Finding pregen session for src_tableid:0,
src_addr:2
.2.2.12, src_port:52968, dst_tableid:0, dst_addr:1.1.1.10, dst_port:69
*Mar 1 01:05:57.975: %FW-6-SESS_AUDIT_TRAIL_START: Start tftp session:
initiato
r (2.2.2.12:52968) -- responder (1.1.1.1
R1#0:69)
*Mar 1 01:05:57.979: CBAC sis 656AD4DC SIS_CLOSED
*Mar 1 01:05:57.979: CBAC Pak 65444A88 IP: s=2.2.2.12 (FastEthernet1/0),
d=1.1.
1.10 (FastEthernet0/0), len 60, proto=17
*Mar 1 01:05:57.979: CBAC sis 656AD4DC Saving UDP State: SIS_CLOSED/
i_sendcnt
0 r_sendcnt 0
*Mar 1 01:05:57.979: CBAC UDP: sis 656AD4DC pak 65444A88 SIS_CLOSED UDP
packet
(2.2.2.12:52968) => (1.1.1.10:69) datalen 17
*Mar 1 01:05:57.983: CBAC sis 656AD4DC --> SIS_OPENING (2.2.2.12:52968) (
1.1.1.
10:69)
*Mar 1 01:05:57.983: CBAC sis 656AD4DC L4 inspect result: PASS packet
65444A88
(2.2.2.12:52968) (1.1.1.10:69) bytes 17 tftp
*Mar 1 01:05:57.987: CBAC sis 656AD4DC tftp L7 inspect result: PASS packet
R1#
*Mar 1 01:06:00.935: CBAC* Pak 6518D0C0 Find session for (0:2.2.2.12:52968)
(0:
1.1.1.10:69) udp
*Mar 1 01:06:00.935: CBAC* sis 656AD4DC SIS_OPENING
*Mar 1 01:06:00.935: CBAC* Pak 6518D0C0 IP: s=2.2.2.12 (FastEthernet1/0),
d=1.1
.1.10 (FastEthernet0/0), len 60, proto=17
*Mar 1 01:06:00.935: CBAC sis 656AD4DC Saving UDP State: SIS_OPENING/
i_sendcnt
 17 r_sendcnt 0
*Mar 1 01:06:00.935: CBAC* UDP: sis 656AD4DC pak 6518D0C0 SIS_OPENING UDP
packe
t (2.2.2.12:52968) => (1.1.1.10:69) datalen 17
*Mar 1 01:06:00.939: CBAC* sis 656AD4DC --> SIS_OPEN (2.2.2.12:52968) (
1.1.1.10
:69)
R1#
*Mar 1 01:06:00.939: CBAC* sis 656AD4DC L4 inspect result: PASS packet
6518D0C0
 (2.2.2.12:52968) (1.1.1.10:69) bytes 17 tftp
*Mar 1 01:06:00.939: CBAC* sis 656AD4DC tftp L7 inspect result: PASS packet
*Mar 1 01:06:00.939: CBAC* Finish with the inspection, forward the packet
on (2
.2.2.12:52968) => (1.1.1.10:69)
R1#
*Mar 1 01:06:04.947: CBAC* Pak 6518D0C0 Find session for (0:2.2.2.12:52968)
(0:
1.1.1.10:69) udp
*Mar 1 01:06:04.947: CBAC* sis 656AD4DC SIS_OPEN
*Mar 1 01:06:04.947: CBAC* Pak 6518D0C0 IP: s=2.2.2.12 (FastEthernet1/0),
d=1.1
.1.10 (FastEthernet0/0), len 60, proto=17
*Mar 1 01:06:04.947: CBAC sis 656AD4DC Saving UDP State: SIS_OPEN/
i_sendcnt 34
 r_sendcnt 0
*Mar 1 01:06:04.947: CBAC* UDP: sis 656AD4DC pak 6518D0C0 SIS_OPEN UDP
packet (
2.2.2.12:52968) => (1.1.1.10:69) datalen 17
*Mar 1 01:06:04.951: CBAC* sis 656AD4DC --> SIS_OPEN (2.2.2.12:52968) (
1.1.1.10
:69)
R1#
*Mar 1 01:06:04.951: CBAC* sis 656AD4DC L4 inspect result: PASS packet
6518D0C0
 (2.2.2.12:52968) (1.1.1.10:69) bytes 17 tftp
*Mar 1 01:06:04.951: CBAC* sis 656AD4DC tftp L7 inspect result: PASS packet
*Mar 1 01:06:04.951: CBAC* Finish with the inspection, forward the packet
on (2
.2.2.12:52968) => (1.1.1.10:69)
R1#
*Mar 1 01:06:09.951: CBAC* Pak 6518D0C0 Find session for (0:2.2.2.12:52968)
(0:
1.1.1.10:69) udp
*Mar 1 01:06:09.951: CBAC* sis 656AD4DC SIS_OPEN
*Mar 1 01:06:09.951: CBAC* Pak 6518D0C0 IP: s=2.2.2.12 (FastEthernet1/0),
d=1.1
.1.10 (FastEthernet0/0), len 60, proto=17
*Mar 1 01:06:09.951: CBAC sis 656AD4DC Saving UDP State: SIS_OPEN/
i_sendcnt 51
 r_sendcnt 0
*Mar 1 01:06:09.951: CBAC* UDP: sis 656AD4DC pak 6518D0C0 SIS_OPEN UDP
packet (
2.2.2.12:52968) => (1.1.1.10:69) datalen 17
*Mar 1 01:06:09.955: CBAC* sis 656AD4DC --> SIS_OPEN (2.2.2.12:52968) (
1.1.1.10
:69)
R1#
*Mar 1 01:06:09.955: CBAC* sis 656AD4DC L4 inspect result: PASS packet
6518D0C0
 (2.2.2.12:52968) (1.1.1.10:69) bytes 17 tftp
*Mar 1 01:06:09.955: CBAC* sis 656AD4DC tftp L7 inspect result: PASS packet
*Mar 1 01:06:09.955: CBAC* Finish with the inspection, forward the packet
on (2
.2.2.12:52968) => (1.1.1.10:69)
R1#
*Mar 1 01:06:15.931: CBAC* Pak 6518D0C0 Find session for (0:2.2.2.12:52968)
(0:
1.1.1.10:69) udp
*Mar 1 01:06:15.931: CBAC* sis 656AD4DC SIS_OPEN
*Mar 1 01:06:15.931: CBAC* Pak 6518D0C0 IP: s=2.2.2.12 (FastEthernet1/0),
d=1.1
.1.10 (FastEthernet0/0), len 60, proto=17
*Mar 1 01:06:15.931: CBAC sis 656AD4DC Saving UDP State: SIS_OPEN/
i_sendcnt 68
 r_sendcnt 0
*Mar 1 01:06:15.931: CBAC* UDP: sis 656AD4DC pak 6518D0C0 SIS_OPEN UDP
packet (
2.2.2.12:52968) => (1.1.1.10:69) datalen 17
*Mar 1 01:06:15.935: CBAC* sis 656AD4DC --> SIS_OPEN (2.2.2.12:52968) (
1.1.1.10
:69)
R1#
*Mar 1 01:06:15.935: CBAC* sis 656AD4DC L4 inspect result: PASS packet
6518D0C0
 (2.2.2.12:52968) (1.1.1.10:69) bytes 17 tftp
*Mar 1 01:06:15.935: CBAC* sis 656AD4DC tftp L7 inspect result: PASS packet
*Mar 1 01:06:15.935: CBAC* Finish with the inspection, forward the packet
on (2
.2.2.12:52968) => (1.1.1.10:69)
R1#u all
All possible debugging has been turned off

On Sat, Nov 8, 2008 at 6:18 PM, Jason Madsen <madsen.jason@gmail.com> wrote:

> I'm starting to think that TFTP needs to be permitted in the outside
> inbound ACL as well. I can't really see much use in CBAC TFTP usefulness if
> this is the case though.
>
> Jason
>
>
> On Sat, Nov 8, 2008 at 6:14 PM, Jason Madsen <madsen.jason@gmail.com>wrote:
>
>> BTW, I can transfer files using HTTP too (see below). The only thing
>> that won't work for me is TFTP.
>>
>> Someone in this group must have tried (successfully or unsuccessfully) to
>> transfer a file via TFTP across a CBAC link at one time or another...there
>> are just too many of us :-)
>>
>> any ideas?
>>
>> R2#copy http: flash
>> Address or name of remote host [1.1.1.10]?
>> Source filename [test.txt]?
>> Destination filename [test.txt]?
>> Erase flash: before copying? [confirm]
>> Erasing the flash filesystem will remove all files! Continue? [confirm]
>> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
>> Erase of flash: complete
>> Loading http://1.1.1.10/test.txt !
>> Verifying checksum... OK (0x3CA)
>> 868 bytes copied in 1.512 secs (574 bytes/sec)
>>
>>
>> Jason
>>
>>
>> On Sat, Nov 8, 2008 at 6:06 PM, Jason Madsen <madsen.jason@gmail.com>wrote:
>>
>>> Hi Bob, I'm not sure if that's the case with CBAC or not, but I did try
>>> extending the topology a bit more and sourced the request from another
>>> connected device, but had the same exact results. Telnet and ICMP worked
>>> just fine, but TFTP wouldn't work at all.
>>>
>>> Along with my debugs I enabled alerts and auditing and really didn't get
>>> any more info' that way either.
>>>
>>> Thanks,
>>> Jason
>>>
>>>
>>> On Sat, Nov 8, 2008 at 5:58 PM, Bob Sinclair <bob@bobsinclair.net>wrote:
>>>
>>>> Jason,
>>>>
>>>> I looks to me like you are generating traffic from the device that is
>>>> doing the inspecting. I do not believe that CBAC can inspect connections
>>>> that terminate on the router; they must go through the router. Try tftp
>>>> from a device "inside" R0.
>>>>
>>>> HTH,
>>>>
>>>> -Bob Sinclair CCIE 10427 CCSI 30427
>>>> www.netmasterclass.net
>>>>
>>>>
>>>> Jason Madsen wrote:
>>>>
>>>>> Hello All,
>>>>>
>>>>> ...quick question. There are quite a lot of CBAC options available to
>>>>> use,
>>>>> but overall it's a pretty straightforward technology...at least that's
>>>>> what
>>>>> I've always thought and experienced until now. For whatever reason(s)
>>>>> CBAC
>>>>> doesn't seem to be allowing me to tftp. Here's the basic config' I was
>>>>> using:
>>>>>
>>>>> *R1:*
>>>>>
>>>>> tftp-server flash:test.txt
>>>>>
>>>>> int f0/0
>>>>> desc link to R0
>>>>> ip add 1.1.1.2 255.255.255.252
>>>>>
>>>>> *R0:*
>>>>>
>>>>> int f0/0
>>>>> desc link to R1
>>>>> ip add 1.1.1.1 255.255.255.252
>>>>> ip access-group 100 in
>>>>> ip inspect TEST out
>>>>>
>>>>> access-list 100 deny ip any any
>>>>>
>>>>> ip inspect name TEST tcp router-traffic
>>>>> ip inspect name TEST telnet
>>>>> ip inspect name TEST tftp
>>>>> ip inspect name TEST udp router-traffic
>>>>> ip inspect name TEST icmp router-traffic
>>>>>
>>>>>
>>>>>
>>>>> I am successfully able to telnet and ping to R1, but I can't get a file
>>>>> via
>>>>> tftp. i'm able to get a file via tftp just fine when ACL 100 is
>>>>> removed,
>>>>> but I can't seem to get CBAC make an opening for it. I do know that
>>>>> tftp
>>>>> uses UDP (port 69) and i am using dynamips. do you think it's possible
>>>>> that
>>>>> dynamips is too slow for CBAC to work with its default timers and such?
>>>>> doesn't seem like it has anything to do with it to me...without ACL 100
>>>>> applied, the file seems to transfer across very quickly.
>>>>>
>>>>>
>>>>> debug ip inspect detail output when trying to tftp:
>>>>>
>>>>> R0(config)#do copy tftp flash
>>>>> Address or name of remote host [1.1.1.2]?
>>>>> Source filename [test.txt]?
>>>>> Destination filename [test.txt]?
>>>>> Accessing tftp://1.1.1.2/test.txt...
>>>>> *Mar 1 03:45:29.867: CBAC: Finding pregen session for src_tableid:0,
>>>>> src_addr:1
>>>>> .1.1.1, src_port:55559, dst_tableid:0, dst_addr:1.1.1.2, dst_port:69
>>>>> %Error opening tftp://1.1.1.2/test.txt (Timed out)
>>>>>
>>>>> Here's an attempt with ACL 100 removed to validate tftp functionality:
>>>>>
>>>>> R0(config-if)#do copy tftp flash
>>>>> Address or name of remote host [1.1.1.2]?
>>>>> Source filename [test.txt]?
>>>>> Destination filename [test.txt]?
>>>>> Accessing tftp://1.1.1.2/test.txt...
>>>>> Erase flash: before copying? [confirm]
>>>>> Erasing the flash filesystem will remove all files! Continue? [confirm]
>>>>> Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
>>>>> Erase of flash: complete
>>>>> Loading test.txt from 1.1.1.2 (via FastEthernet0/0): !
>>>>> [OK - 1670 bytes]
>>>>>
>>>>> Verifying checksum... OK (0x535)
>>>>> 1670 bytes copied in 1.356 secs (1232 bytes/sec)
>>>>> R0(config-if)#
>>>>>
>>>>>
>>>>> any ideas?
>>>>>
>>>>> Thanks,
>>>>> Jason
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Previous message: Bob Sinclair: "Re: TFTP Not Working W CBAC for some reason"
• Maybe in reply to: Jason Madsen: "TFTP Not Working W CBAC for some reason"
• Next in thread: Jason Madsen: "Re: TFTP Not Working W CBAC for some reason"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST