This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PXE boot not working through FW

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PXE boot not working through FW

AlexanderMahmuzic
L0 Member

‎05-06-2021 02:51 AM - edited ‎05-06-2021 02:55 AM

Hi all,

I have a FW with PanOS 9.1.7 that is causing PXE boot issues with TFTP protocol.

When traffic is not routed through the firewall it all works and I have seen several threads about this problem but no solution.

 

DHCP server: Windows Server 2012 R2 172.18.76.23

WDS server: 172.18.76.20

 

DHCP option 66: 172.18.76.20

DHCP option 67: \boot\x64\wdsnbp.com

 

Interface VLAN 10

ip address 172.28.76.1 255.255.255.0
ip helper-address 172.18.76.23
ip helper-address 172.18.76.20

 

When traffic is not routed through the firewall it works, but when its routed through the firewall I can see packets being accepted and packets sent but no packets received

 

Does anyone have a solution for this?

Uploaded a picture of the TFTP problem

0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎05-08-2021 10:14 PM

@AlexanderMahmuzic,

I'm not seeing any image that you may have attached, but it appears that you did attempt to attach one. Have you verified that the firewall isn't dropping any traffic between these clients and your 172.18.76.20 host? 

I current have this setup at quite a few sites and we have to have 4011/udp open to our SCCM host with the app-id set to unknown-udp or you need to create a custom app-id or an application-override entry. That's really the only "weird" thing to get this working however. 

0 Likes Likes

AlexanderMahmuzic
L0 Member

‎05-12-2021 04:03 AM

After further investigation with wireshark on the Windows Deployment Server it seems like the TTL of TFTP is being lowered on the second read bootfile request.

So the traffic doesn't even reach the WDS anymore...

TTL is lowered with 48 less than the first packet and the "distance" is too far away so the udp traffic is dropped on a router a few hops before.

Not an issue with palo

0 Likes Likes
  • 3709 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks