Screen OS

I'm having a heck of a time upgrading my ScreenOS on my SSG5. It's currently on 6.3.0r11.0 and I'm trying to update it to 6.3.0r17. I have had no success upgrading through the WebUI as it either states that it fails or just hangs infinitely. When trying to update it through the command line I keep getting the following error:

!!!!!!!!!!tftp timeout max!
tftp wait error, instance was freed!
TFTP read file failed

I am able to transfer easily from other hosts on the same network as the interface of the firewall to which I am connected using a tftp client. The connection simply never gets established but I have my firewall turned off on the tftp server and I even tried opening up the policies for the network of the firewall. It is using the default virtual router and doesn't seem like there should be anything stopping it. I've even tried increasing the TFTP timeout to 30 seconds. I must be doing something wrong. Any suggestions? Thanks!

I just noticed something else. If I host the tftp on a machine on the network local to the interface, it seems to load just fine. I failed to mention that I am trying to do this through a route based VPN tunnel. I also noticed that while all the hosts on the same network as the trusted interface are able to ping the remote tftp server, when I try to ping it directly from the SSH console, it times out.

Is this by chance using a policy based VPN?  If so, then the policy would not be triggered and the traffic would not be put into the tunnel.  This should work with route based though.

It is route based.

Can you collect a flow level debug on the firewall?

unset ff 
# Repeat above command until you get "invalid id"
set ff dst-ip <TFTP server IP> dst-port 69
set ff src-ip <TFTP server IP> src-port 69
debug flow basic
clear dbuf

After failure:

undebug all

set console page 0

get db st --------------> This will print the debug data

Okay, I got the debug info and the one thing that seems to stand out is each attempt ends with:

NHTB entry search not found: vpn none tif tunnel.1 nexthop <TFTP server IP>

matched tunnel-id <0x00000001>

Other than that, it seems to be going out the unnumbered tunnel interface to traverse the VPN but it always ends with the message above. Let me know if that information helps or if I should provide more from the debug trace. Thanks!

That is not a problem, the firewall is able to match with a tunnel ID.

Can you share the debug output?

I had a similar issue doing transfers on a vpn based network.

You may need to set the source interface for tftp for the network transfers to work over vpn.  I believe the default interface is the lowest number interface as the source for the tftp transfer.  You need to make sure your source interface can go into the vpn for the transfer. 

This is set on the command line only.  Select the interface that is a valid source entering your vpn.

set tftp source-interface bgroup0

That was exactly it! Thank you so much!!!