TFTP Transfer Failing — Timeout or Refused Connection
Presenting Symptom
TFTP transfer to or from a Cisco router fails with 'Timeout' or 'Connection refused' error messages.
Network Context
A small branch office with a Cisco 4321 router running IOS XE 16.9. The router is configured to back up its startup config to a TFTP server at 192.168.1.100. The TFTP server is a Windows machine running a standard TFTP server application. The router and server are on the same VLAN (VLAN 10) with no firewalls in between.
Diagnostic Steps
Verify TFTP server reachability
ping 192.168.1.100Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
If ping fails, there is a Layer 3 connectivity issue. If ping succeeds, the problem is likely at the application layer (TFTP service or firewall).
Check TFTP server service status
show tftp statisticsTFTP statistics: Packets sent: 0 Packets received: 0 Timeouts: 0 Errors: 0
If all counters are zero, the router hasn't attempted any TFTP sessions. If timeouts are incrementing, the router is sending requests but not receiving responses.
Verify TFTP server configuration on router
show running-config | include tftptftp-server flash:config.text ! or no output if not configured
If the router is acting as a TFTP server, ensure the file exists. For client operations, this command shows nothing. The issue is likely on the server side.
Check for ACLs blocking TFTP
show access-listsExtended IP access list 100
10 permit udp any any eq tftp (10 matches)
20 deny ip any any (5 matches)Look for deny statements that match TFTP traffic (UDP port 69). If TFTP traffic is denied, the ACL is blocking the transfer.
Enable debug for TFTP
debug tftp eventsTFTP: Send request to 192.168.1.100:69 TFTP: Received error from 192.168.1.100:69 - 'File not found'
If you see 'Connection refused', the TFTP server is not running or is blocking the client IP. If 'File not found', the file path is incorrect.
Root Cause
The TFTP server application is not running or is configured to only allow specific IP addresses. The router's IP (192.168.1.1) is not in the server's allowed list, causing the server to send a 'Connection refused' or simply drop the request, leading to a timeout.
Resolution
Verification
On the router, run: copy running-config tftp://192.168.1.100/running-config Expected output: Address or name of remote host [192.168.1.100]? Destination filename [running-config]? !! [OK - 1234 bytes] 1234 bytes copied in 0.123 secs
Prevention
1. Use a dedicated TFTP server with static IP and ensure it is always running. 2. Configure ACLs on the router to permit TFTP traffic only to the TFTP server. 3. Use a more reliable protocol like FTP or SCP for critical file transfers.
CCNA Exam Relevance
On the CCNA 200-301 exam, TFTP troubleshooting appears in multiple-choice questions and simulation labs. The exam tests understanding of TFTP's use of UDP port 69, common failure causes (connectivity, server not running, file permissions), and the difference between TFTP and FTP/SCP. Candidates must know how to verify connectivity and interpret debug output.
Exam Tips
Remember that TFTP uses UDP port 69; no authentication or directory listing is supported.
If a TFTP transfer fails with timeout, always check Layer 3 connectivity first with ping.
The debug tftp events command is useful but can be CPU-intensive; use it only when necessary.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions