DHCP options and PXE boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DHCP options and PXE boot

L2 Linker

Hi,

 

we have just recently made a change in where we moved clients from one segment to a new one. We are using WDS for PXE boot and the WDS server (MDT 2013) is on a different segment than the clients. The Palo is our DHCP server for clients and we have defined some options in our DHCP scope (option 66 pointing to the WDS server and option 67 pointing to the bootfile).

 

This setup is not working, the PXE boot process stops telling me it cannot find the TFPT server (PXE-032). Any suggestions are much appreciated.

 

Regards,

Tony Lewis

40 REPLIES 40

Hi, as far as I can tell there is no traffic coming from the client source address to the TFTP/WDS server. However, when running a Wireshark capture I can see TFTP traffic towards the default gateway (10.18.0.1) and not the TFTP/WDS server (10.18.16.46). Here's a screen shot;

 

TFTP GW.GIF 

What is delivered by palo DHCP server in the DHCPOFFER reply. Can you please capture full DORA process

This as what I can see in the capture:

 

DHCP Discover:

Frame 44: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Ethernet II, Src: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 68, Dst Port: 67
Bootstrap Protocol (Discover)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0xfd683119
    Seconds elapsed: 28
        [Expert Info (Note/Protocol): Seconds elapsed appears to be encoded as little-endian]
    Bootp flags: 0x0000 (Unicast)
        0... .... .... .... = Broadcast flag: Unicast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Discover)
        Length: 1
        DHCP: Discover (1)
    Option: (61) Client identifier
        Length: 7
        Hardware type: Ethernet (0x01)
        Client MAC address: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46)
    Option: (12) Host Name
        Length: 14
        Host Name: AIM-5CG7083HWB
    Option: (60) Vendor class identifier
        Length: 8
        Vendor class identifier: MSFT 5.0
    Option: (55) Parameter Request List
        Length: 13
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (3) Router
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (31) Perform Router Discover
        Parameter Request List Item: (33) Static Route
        Parameter Request List Item: (43) Vendor-Specific Information
        Parameter Request List Item: (44) NetBIOS over TCP/IP Name Server
        Parameter Request List Item: (46) NetBIOS over TCP/IP Node Type
        Parameter Request List Item: (47) NetBIOS over TCP/IP Scope
        Parameter Request List Item: (121) Classless Static Route
        Parameter Request List Item: (249) Private/Classless Static Route (Microsoft)
        Parameter Request List Item: (252) Private/Proxy autodiscovery
    Option: (255) End
        Option End: 255
    Padding: 000000000000

------------------------

DHCP Offer:

Frame 28: 375 bytes on wire (3000 bits), 375 bytes captured (3000 bits) on interface 0
Ethernet II, Src: PaloAlto_00:01:16 (00:1b:17:00:01:16), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 10.18.0.1, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 67, Dst Port: 68
Bootstrap Protocol (Offer)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x2ea2c556
    Seconds elapsed: 10
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 10.18.0.6
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
    Client hardware address padding: 00000000000000000000
    Server host name: vr-deploy.invmgt.wan
    Boot file name: boot\x86\wdsnbp.com
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Offer)
        Length: 1
        DHCP: Offer (2)
    Option: (51) IP Address Lease Time
        Length: 4
        IP Address Lease Time: (691200s) 8 days
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.18.0.1
    Option: (1) Subnet Mask
        Length: 4
        Subnet Mask: 255.255.252.0
    Option: (3) Router
        Length: 4
        Router: 10.18.0.1
    Option: (15) Domain Name
        Length: 10
        Domain Name: invmgt.wan
    Option: (6) Domain Name Server
        Length: 4
        Domain Name Server: 10.18.0.1
    Option: (46) NetBIOS over TCP/IP Node Type
        Length: 1
        NetBIOS over TCP/IP Node Type: P-node (2)
    Option: (66) TFTP Server Name
        Length: 20
        TFTP Server Name: vr-deploy.invmgt.wan
    Option: (67) Bootfile name
        Length: 19
        Bootfile name: boot\x86\wdsnbp.com
    Option: (255) End
        Option End: 255
    Padding: 00

-----------------------------

DHCP Request:

Frame 4: 590 bytes on wire (4720 bits), 590 bytes captured (4720 bits) on interface 0
Ethernet II, Src: Dell_a2:c5:56 (84:2b:2b:a2:c5:56), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 68, Dst Port: 67
Bootstrap Protocol (Request)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x2ea2c556
    Seconds elapsed: 10
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Request)
        Length: 1
        DHCP: Request (3)
    Option: (50) Requested IP Address
        Length: 4
        Requested IP Address: 10.18.0.6
    Option: (55) Parameter Request List
        Length: 36
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (2) Time Offset
        Parameter Request List Item: (3) Router
        Parameter Request List Item: (4) Time Server
        Parameter Request List Item: (5) Name Server
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (11) Resource Location Server
        Parameter Request List Item: (12) Host Name
        Parameter Request List Item: (13) Boot File Size
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (16) Swap Server
        Parameter Request List Item: (17) Root Path
        Parameter Request List Item: (18) Extensions Path
        Parameter Request List Item: (22) Maximum Datagram Reassembly Size
        Parameter Request List Item: (23) Default IP Time-to-Live
        Parameter Request List Item: (28) Broadcast Address
        Parameter Request List Item: (40) Network Information Service Domain
        Parameter Request List Item: (41) Network Information Service Servers
        Parameter Request List Item: (42) Network Time Protocol Servers
        Parameter Request List Item: (43) Vendor-Specific Information
        Parameter Request List Item: (50) Requested IP Address
        Parameter Request List Item: (51) IP Address Lease Time
        Parameter Request List Item: (54) DHCP Server Identifier
        Parameter Request List Item: (58) Renewal Time Value
        Parameter Request List Item: (59) Rebinding Time Value
        Parameter Request List Item: (60) Vendor class identifier
        Parameter Request List Item: (66) TFTP Server Name
        Parameter Request List Item: (67) Bootfile name
        Parameter Request List Item: (128) DOCSIS full security server IP [TODO]
        Parameter Request List Item: (129) PXE - undefined (vendor specific)
        Parameter Request List Item: (130) PXE - undefined (vendor specific)
        Parameter Request List Item: (131) PXE - undefined (vendor specific)
        Parameter Request List Item: (132) PXE - undefined (vendor specific)
        Parameter Request List Item: (133) PXE - undefined (vendor specific)
        Parameter Request List Item: (134) PXE - undefined (vendor specific)
        Parameter Request List Item: (135) PXE - undefined (vendor specific)
    Option: (57) Maximum DHCP Message Size
        Length: 2
        Maximum DHCP Message Size: 1260
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.18.0.1
    Option: (97) UUID/GUID-based Client Identifier
        Length: 17
        Client Identifier (UUID): 4c4c4544-004b-5310-8050-b5c04f32354a
    Option: (93) Client System Architecture
        Length: 2
        Client System Architecture: IA x86 PC (0)
    Option: (94) Client Network Device Interface
        Length: 3
        Major Version: 2
        Minor Version: 1
    Option: (60) Vendor class identifier
        Length: 32
        Vendor class identifier: PXEClient:Arch:00000:UNDI:002001
    Option: (255) End
        Option End: 255
    Padding: 000000000000000000000000000000000000000000000000...


--------------------------

DHCP ACK:

Frame 52: 372 bytes on wire (2976 bits), 372 bytes captured (2976 bits) on interface 0
Ethernet II, Src: PaloAlto_00:01:16 (00:1b:17:00:01:16), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 10.18.0.1, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 67, Dst Port: 68
Bootstrap Protocol (ACK)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x2ea2c556
    Seconds elapsed: 10
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 10.18.0.6
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
    Client hardware address padding: 00000000000000000000
    Server host name: vr-deploy.invmgt.wan
    Boot file name: boot\x86\wdsnbp.com
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (ACK)
        Length: 1
        DHCP: ACK (5)
    Option: (51) IP Address Lease Time
        Length: 4
        IP Address Lease Time: (691200s) 8 days
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.18.0.1
    Option: (1) Subnet Mask
        Length: 4
        Subnet Mask: 255.255.252.0
    Option: (3) Router
        Length: 4
        Router: 10.18.0.1
    Option: (15) Domain Name
        Length: 10
        Domain Name: invmgt.wan
    Option: (6) Domain Name Server
        Length: 4
        Domain Name Server: 10.18.0.1
    Option: (66) TFTP Server Name
        Length: 20
        TFTP Server Name: vr-deploy.invmgt.wan
    Option: (67) Bootfile name
        Length: 19
        Bootfile name: boot\x86\wdsnbp.com
    Option: (255) End
        Option End: 255
    Padding: 00

--------------

 

Regards,

Tony

 

 

 

@tlea,

It looks like the request is properly handing out options 66 and 67 so I would start looking at your security policies more and make sure that the traffic is actually getting allowed. Alternatively you should also attempt to put a device in the same zone as your WDS server so that the firewall essentially gets taken out of the equation and verify that it works with your current settings, as long as it works in the same zone then you know it's more than likely something to do with your security policies, because the DHCP info looks perfectly fine. 

L6 Presenter

Who holds this DNS name:

 

  Option: (66) TFTP Server Name
        Length: 20
        TFTP Server Name: vr-deploy.invmgt.wan

 

??

Thanks for the input BPry! I will give it a go.

 

Regards,

Tony

Hi,

 

the Default Gateway is also the DNS server;

 

DHCP_DNS.GIF

If your DNS server ip address is a palo interface then it won't work as palo cannot be used as a DNS server. Test with ip address of TFTP server instead 

Will do!

Okey, this is getting a bit confusing now. I've changed from the FQDN to the ip-address of the TFTP/WDS server, same result as before. I will go through all policies and zones to make sure I haven't messed things up.

Hey,

 

Yes, it is a bit confusing. Are you able to test this set-up with the PC/laptop connected to this subinterface? You can initiate TFTP by connecting to the TFTP server with the tftp32 or similar software from the laptop GUI. This, at least, will prove policy and Layer 3 correct operation.

Hmm, okey, I've now been able to get a file from the TFTP/WDS server by putting my client on the PXE client subnet;

C:\temp>tftp -i vr-deploy.invmgt.wan get Boot\x64\wdsmgfw.efi
Transfer successful: 1007968 bytes in 2 second(s), 503984 bytes/s

 

This would mean that the communication between the different subnets is working in regards of TFTP. I took some time though for the connection to be established, the PXE-032 error I get when PXE session is started might emply there's a timing issue?

 

Sigh....

I would attempt to port mirror the traffic off your switch and wireshark it to see what is actually happening; if it's taking a long time to actually make a connecton you could easily be hitting the default timeout of 300 if that is still present in your configuration. 

Hi,

 

after running a Wireshark capture I can tell the DORA process isn't working, I do get a Discover, Offer and a ACK but no Request. Could it be that I need to setup IP helper on the actual VLAN present at my Cisco switches?

IP helper should be placed only at your Layer 3 boundary when you actually leaving you subnet. So you talking to the DHCP server (Palo interface) it just weird why the client is not requesting ip address after offer. Post the dora pcap screenshot, please.

  • 33013 Views
  • 40 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!