Tftp 'connection refused' from external hosts / phones

Pertinent Info:
Asterisk 1.8.15
On a public IP, phones are not on local network, accessing via public
correct tftp directory is specified in xinetd.d/tftp

Trying to implement tftp for endpoint manager, cannot get config files remotely.

Log for failed xfer (both from a phone attempt and me from other linux box):
Dec 20 01:24:54 pbx01 in.tftpd[1867]: RRQ from x.x.x.x filename spa942.cfg
Dec 20 01:24:54 pbx01 in.tftpd[1867]: tftpd: read(ack): Connection refused

Log attempt when ‘tftp {public IP}’ from pbx itself:
Dec 20 01:42:19 pbx01 xinetd[1849]: START: tftp pid=1939 from=x.x.x.x
Dec 20 01:42:19 pbx01 in.tftpd[1940]: RRQ from x.x.x.x filename spa942.cfg

Log ‘tftp localhost’:
Dec 20 01:46:19 pbx01 in.tftpd[1965]: RRQ from filename spa942.cfg

tftp config:
service tftp
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -vvv -s /tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4

What I know / tried already:
xinetd is managing tftp, and it is running.
/tftpboot exists, has good perms, and expected files exist
I can tftp>get file via localhost and public IP from pbx, but not from outside server or phone
I’ve tried disabling both iptables and fail2ban, same results.
I’ve added an iptables entry for port 69
I’ve verified with nmap that port 69 is listening
I’ve verified with netstat that port 69 is listening on (all interfaces)
SPA942 phone shows: Profile:tftp://{url}:69/spa942.cfg Status: Failed
perms on /tftpboot: drwxr-xr-x 3 asterisk asterisk 4096 Dec 19 23:56 tftpboot
I’ve tried chmod 777 on /tftpboot, same result
I’ve tried using IP and fqdn for remote attempt, same result.

I’m kind of stuck. Anyone got a suggestion?

Are the actual files under /tftpboot world readable?

Also check the content of /etc/hosts.deny and /etc/hosts.allow in case the access is being blocked by tcp_wrapper.

Thanks for the response.

Yes, all configs had good perms, the spa942.cfg I was attempting to get is 775:
-rwxrwxr-x 1 asterisk asterisk 65318 Dec 20 00:01 spa942.cfg

tcp_wrapper is not in use, hosts.deny and hosts.allow are both blank. It is a straight-up Schmoose Com ISO installation.

tcpdump might help here as you make sure your firewall is correctly NAT’ing udp:69

Well, one more piece of info…once I got my hands on the Poly phones, they are grabbing ROMS and configs. The poly’s are also on a public network segment that is in the whitelist. It seems that the freepbx IDS is catching this and stopping tftp.

I know it sounds strange, but I had the same issue and upgraded the firmware on the SPA942 and SPA962 to 6.1.5a from version 5.x and that fixed the issue.