DHCP options and PXE boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DHCP options and PXE boot

L2 Linker

Hi,

 

we have just recently made a change in where we moved clients from one segment to a new one. We are using WDS for PXE boot and the WDS server (MDT 2013) is on a different segment than the clients. The Palo is our DHCP server for clients and we have defined some options in our DHCP scope (option 66 pointing to the WDS server and option 67 pointing to the bootfile).

 

This setup is not working, the PXE boot process stops telling me it cannot find the TFPT server (PXE-032). Any suggestions are much appreciated.

 

Regards,

Tony Lewis

40 REPLIES 40

Here's the screenshot;

 

Bootstrap Protocol (Discover)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0xdc9634fa
    Seconds elapsed: 12
        [Expert Info (Note/Protocol): Seconds elapsed appears to be encoded as little-endian]
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Discover)
        Length: 1
        DHCP: Discover (1)
    Option: (61) Client identifier
        Length: 7
        Hardware type: Ethernet (0x01)
        Client MAC address: BizlinkK_48:6c:46 (9c:eb:e8:48:6c:46)
    Option: (12) Host Name
        Length: 14
        Host Name: AIM-5CG7083HWB
    Option: (60) Vendor class identifier
        Length: 8
        Vendor class identifier: MSFT 5.0
    Option: (55) Parameter Request List
        Length: 13
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (3) Router
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (31) Perform Router Discover
        Parameter Request List Item: (33) Static Route
        Parameter Request List Item: (43) Vendor-Specific Information
        Parameter Request List Item: (44) NetBIOS over TCP/IP Name Server
        Parameter Request List Item: (46) NetBIOS over TCP/IP Node Type
        Parameter Request List Item: (47) NetBIOS over TCP/IP Scope
        Parameter Request List Item: (121) Classless Static Route
        Parameter Request List Item: (249) Private/Classless Static Route (Microsoft)
        Parameter Request List Item: (252) Private/Proxy autodiscovery
    Option: (255) End
        Option End: 255
    Padding: 000000000000

---------------------------------

Bootstrap Protocol (Offer)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x2ea2c556
    Seconds elapsed: 10
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 10.18.0.6
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
    Client hardware address padding: 00000000000000000000
    Server host name: 10.18.16.46
    Boot file name: boot\x86\wdsnbp.com
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Offer)
        Length: 1
        DHCP: Offer (2)
    Option: (51) IP Address Lease Time
        Length: 4
        IP Address Lease Time: (691200s) 8 days
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.18.0.1
    Option: (1) Subnet Mask
        Length: 4
        Subnet Mask: 255.255.252.0
    Option: (3) Router
        Length: 4
        Router: 10.18.0.1
    Option: (15) Domain Name
        Length: 10
        Domain Name: invmgt.wan
    Option: (6) Domain Name Server
        Length: 4
        Domain Name Server: 10.18.0.1
    Option: (66) TFTP Server Name
        Length: 11
        TFTP Server Name: 10.18.16.46
    Option: (67) Bootfile name
        Length: 19
        Bootfile name: boot\x86\wdsnbp.com
    Option: (46) NetBIOS over TCP/IP Node Type
        Length: 1
        NetBIOS over TCP/IP Node Type: P-node (2)
    Option: (255) End
        Option End: 255
    Padding: 00

-----------------------------------------------------

Bootstrap Protocol (ACK)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x2ea2c556
    Seconds elapsed: 10
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 10.18.0.6
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: Dell_a2:c5:56 (84:2b:2b:a2:c5:56)
    Client hardware address padding: 00000000000000000000
    Server host name: 10.18.16.46
    Boot file name: boot\x86\wdsnbp.com
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (ACK)
        Length: 1
        DHCP: ACK (5)
    Option: (51) IP Address Lease Time
        Length: 4
        IP Address Lease Time: (691200s) 8 days
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.18.0.1
    Option: (1) Subnet Mask
        Length: 4
        Subnet Mask: 255.255.252.0
    Option: (3) Router
        Length: 4
        Router: 10.18.0.1
    Option: (15) Domain Name
        Length: 10
        Domain Name: invmgt.wan
    Option: (6) Domain Name Server
        Length: 4
        Domain Name Server: 10.18.0.1
    Option: (66) TFTP Server Name
        Length: 11
        TFTP Server Name: 10.18.16.46
    Option: (67) Bootfile name
        Length: 19
        Bootfile name: boot\x86\wdsnbp.com
    Option: (255) End
        Option End: 255
    Padding: 00

--------------------------------------

 

Thanks!

 

Tony

 

Did you try with any other hosts connected to the same switch port to see if your connected client gets an ip address from your DHCP server. Do you have your palo internal interface configured as DHCP server or any other (outside the subinterface)? Do you have a topology of your current set up?

Using other clients connected to the same switch port gives the clients a correct ip address from the DHCP. The Palo has one interface configured as DHCP with options 66 and 67 set. The topology looking to the interfaces and VLAN's looks like this;

 

Interface WDS/PXE server

Ethernet1/8.116 (VLAN 116)

This is our server interface, no DHCP setup.

-------------------------------------

Interface DHCP

Ethernet1/7.100 (VLAN 100)

This is the client interface, both for PXE and regular DHCP leases.

 

Thanks for your efforts, much appreciated.

Tony

 

 

Hi,

 

So we know now that DHCP works fine. Did you try to download a file from the TFTP server was doing a DHCP test (l have never configured PXE server but l guess it is just a usual tftp server). So next step is to confirm TFTP communication between working DHCP client and the server. 

Yes, the tftp from a working client is working;

 

tftp -i vr-deploy.invmgt.wan get boot\x86\wdsnbp.com
Transfer successful: 30832 bytes in 1 second(s), 30832 bytes/s

 

This would suggest the problem is pure PXE related, just to make sure I will setup a new test WDS/PXE server and see what happens.

Tony

@tlea wonder how is it going?

L0 Member

I see that this has never been answered and I was dealing with this same problem yesterday.  I stumbled across this site (https://www.itninja.com/question/pxe-boot-setup-on-palo-alto-pa-3020) that lead me to the ultimate solution.  The commenter's solution probably worked in a specific situation, but I'm going to post a config that should work in all situations.  The problem is that PAN-OS has a bug where it is not correctly conveying DHCP option 66 (next-server) and so the PXE client is contacting the default gateway instead of the server specified in option 66.

 

This is not a fix, but a workaround until Palo can provide a fix.  The gist of this workaround is to create a NAT policy that causes the firewall to act as a proxy for the TFTP connection.  You will want to ensure that you translate both source and destination or you end up only NAT'ing half the connection.  In my case, my PXE client did not appreciate sending the request to one IP and getting a response from a different IP, despite TFTP being UDP.

 

https://postimg.cc/gallery/Hn8myH1

 

DHCP-Server-Config-on-PAN-OS

NAT-Policy

NAT-Policy-General

NAT-Policy-Original-Packet

NAT-Policy-Translated-Packet

L2 Linker

Hello,

No workarounds needed.

Use Option 67 ASCII for bootfile name.

User Option 150 IP for WDS server.

Just tested it. Option 66 does not work since DHCP offering does not include "Next server IP address", thus PXE agent tries opening TFTP session to the gateway, instead of server...

L1 Bithead

Option 150 does not seem to use the bootfile name (option 67), so you are stuck on LEGACY boot. not uefi it seems.

 

The above, while promising, does not seem to work for us. We can never see the nat rule redirect get triggered, so assume it is not being used.  And while the option 150 does work, it sticks you in legacy mode, as i cant see any way to provide the UEFI file name.

 

The interesting thing is that in the WDS logs (operational and debug), it seems to see the client communicating with WDS and getting sending a PXE response. So maybe something else is going on here for us. I was trying to dual home WDS with two network cards on two different networks as well. So maybe the above would work if people are trying to do something simplier.

Hi,

It does use Option 67, you just need to provide EFI file: boot\x64\wdsmgfw.efi

You don't need NAT rule.

And WDS can redirect to another SMB server to download a file, it all depends on configuration. So check the Traffic logs.

Also, try adding Option 60 with ASCII value PXEClient. Some machines will simply refuse to boot without it.

Do you have any other solution for this as we are also facing the same issue?

  • 26543 Views
  • 40 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!