FreePBX Distro: TFTP in remote offices via IPsec

So, for years we used TFTP to provision Cisco 79X0 phones over IPSec tunnels to remote offices. All voice traffic also traverses the tunnel. At some point, due to the move to FreePBX distro from another distro or to a change in firewalls, we lost the ability to use TFTP outside of our regular LAN.

Now, if I tell the remote phones to use our external IP and forward the port, it works fine, but when using the internal IP address it does not. The kernel log shows the requests coming in from the phone, but the phone does not successfully receive the file.

Any thoughts as to why this would be?


I think you need to look at your firewalls and see if you are allowing the traffic through, if DHCP on the remote side is pointing to the IP on the other end of the WAN… I don’t beleive you have a PBX issue.

All of the TFTP traffic bypasses the firewall via IPSec, along with all of the VoIP traffic. The remote DHCP servers are set to point to the PBX, but it only succeeds when pointed to the external IP. Perhaps the best next step would be to point at a different TFTP server, perhaps a windows-based one. If the problem persists, that’ll be a data point.

For wanyone searching the archives, this was eventually tracked down to an issue caused by a connection-tracking plugin on the router.

More details here: