DHCP options and PXE boot

Reply
Highlighted
L2 Linker

Here's the screenshot;

 

Bootstrap Protocol (Discover)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0xdc9634fa
    Seconds elapsed: 12
        [Expert Info (Note/Protocol): Seconds elapsed appears to be encoded as little-endian]
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Discover)
        Length: 1
        DHCP: Discover (1)
    Option: (61) Client identifier
        Length: 7
        Hardware type: Ethernet (0x01)
        Client MAC address: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46)
    Option: (12) Host Name
        Length: 14
        Host Name: AIM-5CG7083HWB
    Option: (60) Vendor class identifier
        Length: 8
        Vendor class identifier: MSFT 5.0
    Option: (55) Parameter Request List
        Length: 13
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (3) Router
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (31) Perform Router Discover
        Parameter Request List Item: (33) Static Route
        Parameter Request List Item: (43) Vendor-Specific Information
        Parameter Request List Item: (44) NetBIOS over TCP/IP Name Server
        Parameter Request List Item: (46) NetBIOS over TCP/IP Node Type
        Parameter Request List Item: (47) NetBIOS over TCP/IP Scope
        Parameter Request List Item: (121) Classless Static Route
        Parameter Request List Item: (249) Private/Classless Static Route (Microsoft)
        Parameter Request List Item: (252) Private/Proxy autodiscovery
    Option: (255) End
        Option End: 255
    Padding: 000000000000

---------------------------------

Bootstrap Protocol (Offer)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x2ea2c556
    Seconds elapsed: 10
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 10.18.0.6
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
    Client hardware address padding: 00000000000000000000
    Server host name: 10.18.16.46
    Boot file name: boot\x86\wdsnbp.com
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Offer)
        Length: 1
        DHCP: Offer (2)
    Option: (51) IP Address Lease Time
        Length: 4
        IP Address Lease Time: (691200s) 8 days
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.18.0.1
    Option: (1) Subnet Mask
        Length: 4
        Subnet Mask: 255.255.252.0
    Option: (3) Router
        Length: 4
        Router: 10.18.0.1
    Option: (15) Domain Name
        Length: 10
        Domain Name: invmgt.wan
    Option: (6) Domain Name Server
        Length: 4
        Domain Name Server: 10.18.0.1
    Option: (66) TFTP Server Name
        Length: 11
        TFTP Server Name: 10.18.16.46
    Option: (67) Bootfile name
        Length: 19
        Bootfile name: boot\x86\wdsnbp.com
    Option: (46) NetBIOS over TCP/IP Node Type
        Length: 1
        NetBIOS over TCP/IP Node Type: P-node (2)
    Option: (255) End
        Option End: 255
    Padding: 00

-----------------------------------------------------

Bootstrap Protocol (ACK)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x2ea2c556
    Seconds elapsed: 10
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 10.18.0.6
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
    Client hardware address padding: 00000000000000000000
    Server host name: 10.18.16.46
    Boot file name: boot\x86\wdsnbp.com
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (ACK)
        Length: 1
        DHCP: ACK (5)
    Option: (51) IP Address Lease Time
        Length: 4
        IP Address Lease Time: (691200s) 8 days
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.18.0.1
    Option: (1) Subnet Mask
        Length: 4
        Subnet Mask: 255.255.252.0
    Option: (3) Router
        Length: 4
        Router: 10.18.0.1
    Option: (15) Domain Name
        Length: 10
        Domain Name: invmgt.wan
    Option: (6) Domain Name Server
        Length: 4
        Domain Name Server: 10.18.0.1
    Option: (66) TFTP Server Name
        Length: 11
        TFTP Server Name: 10.18.16.46
    Option: (67) Bootfile name
        Length: 19
        Bootfile name: boot\x86\wdsnbp.com
    Option: (255) End
        Option End: 255
    Padding: 00

--------------------------------------

 

Thanks!

 

Tony

 

Highlighted
L6 Presenter

Did you try with any other hosts connected to the same switch port to see if your connected client gets an ip address from your DHCP server. Do you have your palo internal interface configured as DHCP server or any other (outside the subinterface)? Do you have a topology of your current set up?

Highlighted
L2 Linker

Using other clients connected to the same switch port gives the clients a correct ip address from the DHCP. The Palo has one interface configured as DHCP with options 66 and 67 set. The topology looking to the interfaces and VLAN's looks like this;

 

Interface WDS/PXE server

Ethernet1/8.116 (VLAN 116)

This is our server interface, no DHCP setup.

-------------------------------------

Interface DHCP

Ethernet1/7.100 (VLAN 100)

This is the client interface, both for PXE and regular DHCP leases.

 

Thanks for your efforts, much appreciated.

Tony

 

 

Highlighted
L6 Presenter

Hi,

 

So we know now that DHCP works fine. Did you try to download a file from the TFTP server was doing a DHCP test (l have never configured PXE server but l guess it is just a usual tftp server). So next step is to confirm TFTP communication between working DHCP client and the server. 

Highlighted
L2 Linker

Yes, the tftp from a working client is working;

 

tftp -i vr-deploy.invmgt.wan get boot\x86\wdsnbp.com
Transfer successful: 30832 bytes in 1 second(s), 30832 bytes/s

 

This would suggest the problem is pure PXE related, just to make sure I will setup a new test WDS/PXE server and see what happens.

Tony

Highlighted
L6 Presenter

@tlea wonder how is it going?

Highlighted
L0 Member

I see that this has never been answered and I was dealing with this same problem yesterday.  I stumbled across this site (https://www.itninja.com/question/pxe-boot-setup-on-palo-alto-pa-3020) that lead me to the ultimate solution.  The commenter's solution probably worked in a specific situation, but I'm going to post a config that should work in all situations.  The problem is that PAN-OS has a bug where it is not correctly conveying DHCP option 66 (next-server) and so the PXE client is contacting the default gateway instead of the server specified in option 66.

 

This is not a fix, but a workaround until Palo can provide a fix.  The gist of this workaround is to create a NAT policy that causes the firewall to act as a proxy for the TFTP connection.  You will want to ensure that you translate both source and destination or you end up only NAT'ing half the connection.  In my case, my PXE client did not appreciate sending the request to one IP and getting a response from a different IP, despite TFTP being UDP.

 

https://postimg.cc/gallery/Hn8myH1

 

DHCP-Server-Config-on-PAN-OS

NAT-Policy

NAT-Policy-General

NAT-Policy-Original-Packet

NAT-Policy-Translated-Packet

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!