DHCP options and PXE boot

Reply
Highlighted
L2 Linker

DHCP options and PXE boot

Hi,

 

we have just recently made a change in where we moved clients from one segment to a new one. We are using WDS for PXE boot and the WDS server (MDT 2013) is on a different segment than the clients. The Palo is our DHCP server for clients and we have defined some options in our DHCP scope (option 66 pointing to the WDS server and option 67 pointing to the bootfile).

 

This setup is not working, the PXE boot process stops telling me it cannot find the TFPT server (PXE-032). Any suggestions are much appreciated.

 

Regards,

Tony Lewis

Highlighted
L6 Presenter

Get the PCAP from the Palo or client side (if possible) to see what palo is delivering in DHCPOFFER

L4 Transporter

Hi Tlea

 

I have identical situation like You

 

My config looks like:

2017-06-12_153715.png

 

On "new one" segment DHCP server You have to set option 66 and 67 - both options must point to your WDS server

 

Where is Your DHCP on PA or Windows servers?

 

REgards

SLawek

Highlighted
L2 Linker

The DHCP is handled on the Palo Alto. Both the 66 and 67 options are set and pointing to the WDS server. Here's my config:

 

DHCP Palo.GIF

 

 

 

 

 

Highlighted
L4 Transporter

Hi

 

In my opinion something wrong is with your path \Boot\x64\wdsmgfw.efi

Maybe You can try with my path? - of course if Your WDS server have boot\x86\wdsnbp.com file - You can check it.

 

Are You sure that have sescurity policies thats allow traffic from 10.18.0.1/24 to 10.18.16.46?

 

Regards

Slawek

Highlighted
L2 Linker

Hi Slawek and thanks for your response. I will change the boot file name to the one you are using. When it comes to security policies I'm not sure and will have to check this closer. I guess there will some policy in regards of TFTP needed?

 

I will check this first thing tomorrow morning.

 

Regards,

Tony

Highlighted
L2 Linker

Hi Slawek, the change to boot\x86\wdsnbp.com did not help. Here's the output from the client

 

TFTP open timeout.jpg

 

I'm guessing we have some problems with TFTP and I'm just thinking we might have to create a Policy-Based Forwarding rule for TFTP (port 69) between the client net and the server net? If you have any suggestions I'd be really happy!

 

Regards,

Tony

Highlighted
L6 Presenter

Hi,

 

When your client receives a TFTP server information from the palo DHCP server, what can you see in the traffic logs on palo? Is your TFTP server in the same subnet as client or not  (looks like it is not)? Are they in the same zone (same zone traffic is allowed by default).

Highlighted
L2 Linker

Hi TranceforLife and thanks for your input. I cannot see any traffic using the monitor, and the TFTP server is in the server subnet, ie. not in the same subnet as the PXE client.

 

Regards,

Tony

Highlighted
L6 Presenter

Client subnet and the server subnet are they in the same zone? If yes can you please override default Intra-zone policy or make sure you have login enabled on your current policy so you can see client attempts:

 

df.PNG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!