Eventual TFTP failure - "couldn't forward tftp packet: Permission denied"

  • Hello everyone,

    I've got a Netgate SG-3100 device that has been giving me an issue. We've got a handful of SIP phones behind the Netgate, which use a PBX in a datacenter for calling and TFTP config. SIP calls all work great, and TFTP works for a while after reboot of the firewall, but eventually time will come to add a new handset or alter an existing handset's config. After X amount of time, the TFTP helper seems to stop functioning, and I start seeing the RRQ and WRQ lines followed by "couldn't forward tftp packet: Permission denied" in the Netgate logs. Sure enough, the traffic isn't making it to the TFTP server at the PBX. If I restart the Netgate, all the phones start doing their normal TFTP pulls successfully and everything is fine again for a while - not sure how long it takes to break. Regardless of the TFTP helper functioning, the phones all continue to make and receive calls without issue, it's only the TFTP link that breaks down.

    I've searched for this error message without success. It doesn't seem to be related to the PBX or TFTP server as I can still access TFTP configs from another location behind another firewall. Netgate's config is pretty basic, I have the TFTP server specified so the phones pull the address when doing DHCP, I have a few DHCP static maps for the phones, and I have the TFTP helper enabled for LAN, and Manual Outbound NAT. ISP is a gigabit fiber link with static IPs, also configured in the Netgate. I have configured the OpenVPN server on the Netgate to access assets behind the firewall. Not sure what to do from here, but it's definitely a hassle to reboot the firewall each time I need to add/alter a SIP handset. Any ideas on what my issue might be?

Log in to reply