06-12-2017 03:37 AM
Hi,
we have just recently made a change in where we moved clients from one segment to a new one. We are using WDS for PXE boot and the WDS server (MDT 2013) is on a different segment than the clients. The Palo is our DHCP server for clients and we have defined some options in our DHCP scope (option 66 pointing to the WDS server and option 67 pointing to the bootfile).
This setup is not working, the PXE boot process stops telling me it cannot find the TFPT server (PXE-032). Any suggestions are much appreciated.
Regards,
Tony Lewis
06-13-2017 05:00 AM
Hi, as far as I can tell there is no traffic coming from the client source address to the TFTP/WDS server. However, when running a Wireshark capture I can see TFTP traffic towards the default gateway (10.18.0.1) and not the TFTP/WDS server (10.18.16.46). Here's a screen shot;
06-13-2017 06:25 AM
06-13-2017 06:58 AM
This as what I can see in the capture:
DHCP Discover:
Frame 44: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Ethernet II, Src: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 68, Dst Port: 67
Bootstrap Protocol (Discover)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0xfd683119
Seconds elapsed: 28
[Expert Info (Note/Protocol): Seconds elapsed appears to be encoded as little-endian]
Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Discover)
Length: 1
DHCP: Discover (1)
Option: (61) Client identifier
Length: 7
Hardware type: Ethernet (0x01)
Client MAC address: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46)
Option: (12) Host Name
Length: 14
Host Name: AIM-5CG7083HWB
Option: (60) Vendor class identifier
Length: 8
Vendor class identifier: MSFT 5.0
Option: (55) Parameter Request List
Length: 13
Parameter Request List Item: (1) Subnet Mask
Parameter Request List Item: (3) Router
Parameter Request List Item: (6) Domain Name Server
Parameter Request List Item: (15) Domain Name
Parameter Request List Item: (31) Perform Router Discover
Parameter Request List Item: (33) Static Route
Parameter Request List Item: (43) Vendor-Specific Information
Parameter Request List Item: (44) NetBIOS over TCP/IP Name Server
Parameter Request List Item: (46) NetBIOS over TCP/IP Node Type
Parameter Request List Item: (47) NetBIOS over TCP/IP Scope
Parameter Request List Item: (121) Classless Static Route
Parameter Request List Item: (249) Private/Classless Static Route (Microsoft)
Parameter Request List Item: (252) Private/Proxy autodiscovery
Option: (255) End
Option End: 255
Padding: 000000000000
------------------------
DHCP Offer:
Frame 28: 375 bytes on wire (3000 bits), 375 bytes captured (3000 bits) on interface 0
Ethernet II, Src: PaloAlto_00:01:16 (00:1b:17:00:01:16), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 10.18.0.1, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 67, Dst Port: 68
Bootstrap Protocol (Offer)
Message type: Boot Reply (2)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x2ea2c556
Seconds elapsed: 10
Bootp flags: 0x8000, Broadcast flag (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0
Your (client) IP address: 10.18.0.6
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
Client hardware address padding: 00000000000000000000
Server host name: vr-deploy.invmgt.wan
Boot file name: boot\x86\wdsnbp.com
Magic cookie: DHCP
Option: (53) DHCP Message Type (Offer)
Length: 1
DHCP: Offer (2)
Option: (51) IP Address Lease Time
Length: 4
IP Address Lease Time: (691200s) 8 days
Option: (54) DHCP Server Identifier
Length: 4
DHCP Server Identifier: 10.18.0.1
Option: (1) Subnet Mask
Length: 4
Subnet Mask: 255.255.252.0
Option: (3) Router
Length: 4
Router: 10.18.0.1
Option: (15) Domain Name
Length: 10
Domain Name: invmgt.wan
Option: (6) Domain Name Server
Length: 4
Domain Name Server: 10.18.0.1
Option: (46) NetBIOS over TCP/IP Node Type
Length: 1
NetBIOS over TCP/IP Node Type: P-node (2)
Option: (66) TFTP Server Name
Length: 20
TFTP Server Name: vr-deploy.invmgt.wan
Option: (67) Bootfile name
Length: 19
Bootfile name: boot\x86\wdsnbp.com
Option: (255) End
Option End: 255
Padding: 00
-----------------------------
DHCP Request:
Frame 4: 590 bytes on wire (4720 bits), 590 bytes captured (4720 bits) on interface 0
Ethernet II, Src: Dell_a2:c5:56 (84:2b:2b:a2:c5:56), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 68, Dst Port: 67
Bootstrap Protocol (Request)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x2ea2c556
Seconds elapsed: 10
Bootp flags: 0x8000, Broadcast flag (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Request)
Length: 1
DHCP: Request (3)
Option: (50) Requested IP Address
Length: 4
Requested IP Address: 10.18.0.6
Option: (55) Parameter Request List
Length: 36
Parameter Request List Item: (1) Subnet Mask
Parameter Request List Item: (2) Time Offset
Parameter Request List Item: (3) Router
Parameter Request List Item: (4) Time Server
Parameter Request List Item: (5) Name Server
Parameter Request List Item: (6) Domain Name Server
Parameter Request List Item: (11) Resource Location Server
Parameter Request List Item: (12) Host Name
Parameter Request List Item: (13) Boot File Size
Parameter Request List Item: (15) Domain Name
Parameter Request List Item: (16) Swap Server
Parameter Request List Item: (17) Root Path
Parameter Request List Item: (18) Extensions Path
Parameter Request List Item: (22) Maximum Datagram Reassembly Size
Parameter Request List Item: (23) Default IP Time-to-Live
Parameter Request List Item: (28) Broadcast Address
Parameter Request List Item: (40) Network Information Service Domain
Parameter Request List Item: (41) Network Information Service Servers
Parameter Request List Item: (42) Network Time Protocol Servers
Parameter Request List Item: (43) Vendor-Specific Information
Parameter Request List Item: (50) Requested IP Address
Parameter Request List Item: (51) IP Address Lease Time
Parameter Request List Item: (54) DHCP Server Identifier
Parameter Request List Item: (58) Renewal Time Value
Parameter Request List Item: (59) Rebinding Time Value
Parameter Request List Item: (60) Vendor class identifier
Parameter Request List Item: (66) TFTP Server Name
Parameter Request List Item: (67) Bootfile name
Parameter Request List Item: (128) DOCSIS full security server IP [TODO]
Parameter Request List Item: (129) PXE - undefined (vendor specific)
Parameter Request List Item: (130) PXE - undefined (vendor specific)
Parameter Request List Item: (131) PXE - undefined (vendor specific)
Parameter Request List Item: (132) PXE - undefined (vendor specific)
Parameter Request List Item: (133) PXE - undefined (vendor specific)
Parameter Request List Item: (134) PXE - undefined (vendor specific)
Parameter Request List Item: (135) PXE - undefined (vendor specific)
Option: (57) Maximum DHCP Message Size
Length: 2
Maximum DHCP Message Size: 1260
Option: (54) DHCP Server Identifier
Length: 4
DHCP Server Identifier: 10.18.0.1
Option: (97) UUID/GUID-based Client Identifier
Length: 17
Client Identifier (UUID): 4c4c4544-004b-5310-8050-b5c04f32354a
Option: (93) Client System Architecture
Length: 2
Client System Architecture: IA x86 PC (0)
Option: (94) Client Network Device Interface
Length: 3
Major Version: 2
Minor Version: 1
Option: (60) Vendor class identifier
Length: 32
Vendor class identifier: PXEClient:Arch:00000:UNDI:002001
Option: (255) End
Option End: 255
Padding: 000000000000000000000000000000000000000000000000...
--------------------------
DHCP ACK:
Frame 52: 372 bytes on wire (2976 bits), 372 bytes captured (2976 bits) on interface 0
Ethernet II, Src: PaloAlto_00:01:16 (00:1b:17:00:01:16), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 10.18.0.1, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 67, Dst Port: 68
Bootstrap Protocol (ACK)
Message type: Boot Reply (2)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x2ea2c556
Seconds elapsed: 10
Bootp flags: 0x8000, Broadcast flag (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0
Your (client) IP address: 10.18.0.6
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
Client hardware address padding: 00000000000000000000
Server host name: vr-deploy.invmgt.wan
Boot file name: boot\x86\wdsnbp.com
Magic cookie: DHCP
Option: (53) DHCP Message Type (ACK)
Length: 1
DHCP: ACK (5)
Option: (51) IP Address Lease Time
Length: 4
IP Address Lease Time: (691200s) 8 days
Option: (54) DHCP Server Identifier
Length: 4
DHCP Server Identifier: 10.18.0.1
Option: (1) Subnet Mask
Length: 4
Subnet Mask: 255.255.252.0
Option: (3) Router
Length: 4
Router: 10.18.0.1
Option: (15) Domain Name
Length: 10
Domain Name: invmgt.wan
Option: (6) Domain Name Server
Length: 4
Domain Name Server: 10.18.0.1
Option: (66) TFTP Server Name
Length: 20
TFTP Server Name: vr-deploy.invmgt.wan
Option: (67) Bootfile name
Length: 19
Bootfile name: boot\x86\wdsnbp.com
Option: (255) End
Option End: 255
Padding: 00
--------------
Regards,
Tony
06-13-2017 07:37 AM
It looks like the request is properly handing out options 66 and 67 so I would start looking at your security policies more and make sure that the traffic is actually getting allowed. Alternatively you should also attempt to put a device in the same zone as your WDS server so that the firewall essentially gets taken out of the equation and verify that it works with your current settings, as long as it works in the same zone then you know it's more than likely something to do with your security policies, because the DHCP info looks perfectly fine.
06-13-2017 12:55 PM
Who holds this DNS name:
Option: (66) TFTP Server Name
Length: 20
TFTP Server Name: vr-deploy.invmgt.wan
??
06-14-2017 12:50 AM
Thanks for the input BPry! I will give it a go.
Regards,
Tony
06-14-2017 12:52 AM
Hi,
the Default Gateway is also the DNS server;
06-14-2017 01:10 AM - edited 06-14-2017 01:11 AM
If your DNS server ip address is a palo interface then it won't work as palo cannot be used as a DNS server. Test with ip address of TFTP server instead
06-14-2017 04:59 AM
Okey, this is getting a bit confusing now. I've changed from the FQDN to the ip-address of the TFTP/WDS server, same result as before. I will go through all policies and zones to make sure I haven't messed things up.
06-14-2017 06:57 AM - edited 06-14-2017 08:27 AM
Hey,
Yes, it is a bit confusing. Are you able to test this set-up with the PC/laptop connected to this subinterface? You can initiate TFTP by connecting to the TFTP server with the tftp32 or similar software from the laptop GUI. This, at least, will prove policy and Layer 3 correct operation.
06-15-2017 07:39 AM
Hmm, okey, I've now been able to get a file from the TFTP/WDS server by putting my client on the PXE client subnet;
C:\temp>tftp -i vr-deploy.invmgt.wan get Boot\x64\wdsmgfw.efi
Transfer successful: 1007968 bytes in 2 second(s), 503984 bytes/s
This would mean that the communication between the different subnets is working in regards of TFTP. I took some time though for the connection to be established, the PXE-032 error I get when PXE session is started might emply there's a timing issue?
Sigh....
06-15-2017 09:46 AM
I would attempt to port mirror the traffic off your switch and wireshark it to see what is actually happening; if it's taking a long time to actually make a connecton you could easily be hitting the default timeout of 300 if that is still present in your configuration.
06-19-2017 05:40 AM
Hi,
after running a Wireshark capture I can tell the DORA process isn't working, I do get a Discover, Offer and a ACK but no Request. Could it be that I need to setup IP helper on the actual VLAN present at my Cisco switches?
06-19-2017 05:45 AM - edited 06-19-2017 05:52 AM
IP helper should be placed only at your Layer 3 boundary when you actually leaving you subnet. So you talking to the DHCP server (Palo interface) it just weird why the client is not requesting ip address after offer. Post the dora pcap screenshot, please.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
