NFS Mount Timing Out — Layer 3 Reachability and ACL Issue
Presenting Symptom
NFS mount requests from a client to an NFS server are timing out, preventing file system access.
Network Context
The network is a small branch office with a single router (Cisco 4321, IOS XE 16.9) connecting two VLANs: VLAN 10 (client subnet 192.168.10.0/24) and VLAN 20 (server subnet 192.168.20.0/24). The router performs inter-VLAN routing. An extended ACL is applied inbound on the client-facing interface (GigabitEthernet0/0/0) to restrict traffic, but NFS traffic is supposed to be permitted.
Diagnostic Steps
Check NFS connectivity from client to server
ping 192.168.20.10!!!!!
If ping succeeds, Layer 3 reachability exists. If ping fails, there is a routing or ACL issue.
Verify ACL applied on the client-facing interface
show ip interface GigabitEthernet0/0/0 | include access listOutgoing access list is not set Inbound access list is BLOCK_NFS
Confirms an ACL named BLOCK_NFS is applied inbound. If the ACL is blocking NFS, it will be the root cause.
Inspect the ACL rules
show access-list BLOCK_NFSExtended IP access list BLOCK_NFS
10 deny tcp any any eq 2049
20 deny udp any any eq 2049
30 permit ip any anyThe ACL denies NFS traffic (TCP/UDP port 2049) before permitting all other IP traffic. This explains the timeout.
Confirm NFS port usage
show ip access-lists | include 2049 10 deny tcp any any eq 2049 (12 matches)
20 deny udp any any eq 2049 (8 matches)The match counters confirm that NFS packets are being denied. This solidifies the root cause.
Root Cause
An extended ACL named BLOCK_NFS is applied inbound on the client-facing interface (GigabitEthernet0/0/0) with deny statements for TCP and UDP port 2049 (NFS) before a permit any statement. This blocks all NFS traffic from the client to the server, causing mount requests to time out.
Resolution
Verification
Run 'show access-list BLOCK_NFS' to confirm the ACL now permits NFS. Then from the client, attempt the NFS mount again. Use 'show ip access-lists BLOCK_NFS' to verify that match counters for permit entries increment. Expected output: Extended IP access list BLOCK_NFS 10 permit tcp any any eq 2049 (5 matches) 20 permit udp any any eq 2049 (3 matches) 30 deny ip any any The mount should succeed without timeout.
Prevention
1. Use a structured ACL design with explicit permit statements for required services before a deny-all at the end. 2. Regularly review ACL configurations to ensure they align with security policies. 3. Implement logging on ACL deny entries to detect unintended blocks.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests troubleshooting of ACLs and Layer 3 connectivity. Questions may present a similar symptom and ask to identify the root cause from show command outputs or to drag-and-drop the correct ACL modification. Key fact: NFS uses TCP/UDP port 2049, and ACLs are processed top-down; a deny entry before a permit will block traffic.
Exam Tips
Remember that ACLs are processed sequentially; the first match applies.
NFS uses port 2049; know that both TCP and UDP may need to be permitted.
Use 'show ip interface' to quickly see which ACL is applied and in which direction.
Commands Used in This Scenario
ping [ip]
The ping command sends ICMP echo requests to a destination IP address to test network connectivity and measure round-trip time.
show ip interface
Displays the status and configuration of all IP interfaces on a Cisco router, including IP address, protocol status, and interface statistics, used for verifying interface IP configuration and troubleshooting connectivity issues.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions