Installing a TFTP Server

Installing a TFTP Server

Overview

You must have a TFTP server to install the firewall software. If the computer runs the Windows operating system and you have a CCO account, you can download a TFTP server from the Web or by FTP. The UNIX, Solaris, and Linux operating systems contain a TFTP server.
You must have an activation key that enables Data Encryption Standard (DES) or the more secure 3DES, which PDM requires for support of the Secure Socket Layer (SSL) protocol. If the firewall is not enabled for DES, you can have a new activation key sent to you by completing the form at:
http://www.cisco.com/kobayashi/sw-center/internet/pix-56bit-license-request.shtml

Obtaining a Windows TFTP Server

You can download the TFTP server from the following website:
http://www.cisco.com/cgi-bin/tablebuild.pl/tftp

Follow these steps to download the server by FTP.

Start the FTP client and connect to cco.cisco.com. (Enter the CCO username and password.)

You can view the files in the main directory by entering the ls command.

Enter the cd cisco command to move to the top level software directory. Then enter the cd TFTP command to access the TFTP software directory. Enter the ls command to view the directory contents.

Enter the get command to copy the TFTP executable file to the directory.

The file you download is a self-extracting archive that you can use with Windows 98, Windows ME, Windows NT version 4.0, or Windows 2000. Once the file is stored on the Windows system, double-click it to start the setup program. Then follow the prompts that appear to install the server on the system.

Enabling UNIX TFTP Support

The procedure for enabling TFTP access on the workstation varies depending on the operating system.
Enabling TFTP Access on a Sun Solaris System

Follow these steps to enable TFTP access on a Sun Solaris system:

Log in as root.

Add or uncomment the following line in the /etc/inetd.conf file:
TFTP dgram udp wait root /usr/sbin/in.tftpd in.TFTPd

Specify the TFTP directory. By default it is /tftpboot unless you append "-s <directory>" in the previous step. View the in.tftpd man page for more information.

Either reboot the system or use the following commands to find the "inetd" process and send it the SIGHUP signal to force it to reread the inetd.conf file:
/bin/ps -ef | grep inetd
kill -1 inetd_process_ID

Enabling TFTP Access on a Linux System

Follow these steps to enable TFTP access on a Linux system:
If you use Linux, these steps vary depend on whether or not you are using "inetd" or "xinetd." If you have the file "/etc/inetd.conf," you are using inetd. RedHat 7.0 uses "xinetd."

Log in as root.

If you are running Linux with "inetd," add or uncomment the following line in the /etc/inetd.conf file:
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd

If you are running Linux with "xinetd," Edit the /etc/xinetd.d/tftp file as follows:

Change the line "disable = yes" to "disable = no."

Change the line "user = nobody" to "user = root."

If you want to specify a different TFTP directory, replace "/tftpboot" in the line "server_args = -s /tftpboot" with the name of the directory.

Enter the following command:

/etc/init.d/xinetd restart

TFTP Download Error Codes

PDM cannot be downloaded via TFTP from the firewall unit's monitor mode. You must use the copy TFTP flash:pdm command described in "Installing PDM on a firewall."
During a TFTP download, non-fatal errors may appear in the midst of dots that display as the software downloads. The error code appears inside angle brackets.
For example, random bad blocks appear as follows:
....<11>..<11>.<11>......<11>...

Also, the display may show "A" and "T" for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.

TFTP Error Code Numeric Values

Code Description

-1 Timeout between the firewall and TFTP server.

2 The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet.

3 The received packet was not from the server specified in the server command.

4 The IP header length was not big enough to be a valid TFTP packet.

5 The IP protocol type on the received packet was not UDP, which is the underlying protocol used by TFTP.

6 The received IP packet's destination address did not match the address specified by the address command.

7 The UDP ports on either side of the connection did not match the expected values. This means either the local port was not the previously selected port, or the foreign port was not the TFTP port, or both.

8 The UDP checksum calculation on the packet failed.

9 An unexpected TFTP code occurred.

10 A TFTP transfer error occurred.

-10 The image filename you specified cannot be found. Check the spelling of the filename and that permissions permit the TFTP server to access the file. In UNIX, the file needs to be world readable.

11 A TFTP packet was received out of sequence.

Error codes 9 and 10 cause the download to stop.

Code	Description
-1	Timeout between the firewall and TFTP server.
2	The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet.
3	The received packet was not from the server specified in the server command.
4	The IP header length was not big enough to be a valid TFTP packet.
5	The IP protocol type on the received packet was not UDP, which is the underlying protocol used by TFTP.
6	The received IP packet's destination address did not match the address specified by the address command.
7	The UDP ports on either side of the connection did not match the expected values. This means either the local port was not the previously selected port, or the foreign port was not the TFTP port, or both.
8	The UDP checksum calculation on the packet failed.
9	An unexpected TFTP code occurred.
10	A TFTP transfer error occurred.
-10	The image filename you specified cannot be found. Check the spelling of the filename and that permissions permit the TFTP server to access the file. In UNIX, the file needs to be world readable.
11	A TFTP packet was received out of sequence.