Is it possible to connect to the Fog server remotely?

Sebastian Roth

@pjb1983 said in Is it possible to connect to the Fog server remotely?:

I use the built-in DHCP service from the Meraki security appliane.

Does it provide a router/gateway IP as well for the clients to connect to your FOG server across the VPN?

PJB1983

@sebastian-roth thx for your reply.
The Meraki security appliance provide ip addresses and a gateway for that perticular site (school).

PJB1983

@george1421 thx for the reply.
I’ll run wireshark asap and send the link to the pcap file.

PJB1983

@george1421

I think the UDP request had a bad length?
What can i do about it?

reading from file -, link-type EN10MB (Ethernet)
13:02:42.546737 ARP, Request who-has 192.168.5.121 tell 192.168.5.1, length 28
13:02:42.547604 ARP, Reply 192.168.5.121 is-at 00:15:5d:00:fc:09, length 46
13:02:47.831592 IP 95.0.0.85.59214 > 192.168.5.121.2071: UDP, bad length 1460 > 1400
13:02:47.831592 IP 95.0.0.85 > 192.168.5.121: ip-proto-17
13:02:57.548243 ARP, Request who-has 192.168.5.121 tell 192.168.5.1, length 28
13:03:04.618441 ARP, Request who-has 192.168.5.1 tell 192.168.5.121, length 46
13:03:04.618441 ARP, Reply 192.168.5.1 is-at e0:55:3d:8f:6e:50, length 28
13:03:04.625881 IP 192.168.5.121.2070 > 95.0.0.85.69: 30 RRQ “undionly.kpxe” octet tsize 0
13:03:04.650645 IP 95.0.0.85.48771 > 192.168.5.121.2070: UDP, length 14
13:03:04.651880 IP 192.168.5.121.2070 > 95.0.0.85.48771: UDP, length 17
13:03:04.667062 IP 192.168.5.121.2071 > 95.0.0.85.69: 35 RRQ “undionly.kpxe” octet blksize 1456
13:03:04.692814 IP 95.0.0.85.52966 > 192.168.5.121.2071: UDP, length 15
13:03:04.693826 IP 192.168.5.121.2071 > 95.0.0.85.52966: UDP, length 4
13:03:04.718623 IP 95.0.0.85.52966 > 192.168.5.121.2071: UDP, bad length 1460 > 1400
13:03:04.718623 IP 95.0.0.85 > 192.168.5.121: ip-proto-17
13:03:05.719924 IP 95.0.0.85.52966 > 192.168.5.121.2071: UDP, bad length 1460 > 1400
13:03:05.719924 IP 95.0.0.85 > 192.168.5.121: ip-proto-17
13:03:07.721833 IP 95.0.0.85.52966 > 192.168.5.121.2071: UDP, bad length 1460 > 1400
13:03:07.721833 IP 95.0.0.85 > 192.168.5.121: ip-proto-17
13:03:11.726666 IP 95.0.0.85.52966 > 192.168.5.121.2071: UDP, bad length 1460 > 1400
13:03:11.726666 IP 95.0.0.85 > 192.168.5.121: ip-proto-17
13:03:12.550408 ARP, Request who-has 192.168.5.121 tell 192.168.5.1, length 28
13:03:12.551594 ARP, Reply 192.168.5.121 is-at 00:15:5d:00:fc:09, length 46
13:03:19.731344 IP 95.0.0.85.52966 > 192.168.5.121.2071: UDP, bad length 1460 > 1400
13:03:19.731344 IP 95.0.0.85 > 192.168.5.121: ip-proto-17
13:03:27.552009 ARP, Request who-has 192.168.5.121 tell 192.168.5.1, length 28
13:03:27.553072 ARP, Reply 192.168.5.121 is-at 00:15:5d:00:fc:09, length 46

george1421

@pjb1983 What is your MTU on your VPN link? Would it happen to be 1400?

Sebastian Roth

@pjb1983 said in Is it possible to connect to the Fog server remotely?:

UDP, bad length 1460 > 1400

To me this looks like a window size/MTU issue on first sight. You can test the window size/MTU in the VPN tunning using ping ICMP packets like this - using your FOG server IP instead of x.x.x.x:

• Linux:

ping -s 1300 -c 8 -M do x.x.x.x
ping -s 1500 -c 8 -M do x.x.x.x

• Windows:

ping -l 1300 -n 8 -f x.x.x.x
ping -l 1500 -n 8 -f x.x.x.x

My guess is the 1300 byte pings will go through but not the 1500 byte ones. You can play with those numbers to see which MTU works.

Though this doesn’t solve your issue as you cannot tell iPXE to use a smaller MTU. You need to talk to you network engineers to set framenting and MTU correctly to packets won’t get truncated.

PJB1983

@sebastian-roth hi thx for your reply.
the support on this forum is incredible.

I’ve done a ping with 1300 packet size -> No problem
1500 packet size -> Packet need to be fragmented but DF set.

I’ll search on my Meraki security appliance to increase the packet size.
Does this have some consequences for my network performance?

PJB1983

@george1421 thx for your reply.
the support on this forum is incredible.

I’ve done a ping with 1300 packet size -> No problem
1500 packet size -> Packet need to be fragmented but DF set.

I’ll search on my Meraki security appliance to increase the packet size.
Does this have some consequences for my network performance?

george1421

@pjb1983 Try the same test with a packet size of 1461

If we find that the MTU is 1400 we can set the tftp block size just a bit smaller so the packets don’t fragment.

What host OS is your FOG server using?

PJB1983

This post is deleted!

PJB1983

@george1421 the max MTU size is 1404.
I’ve installed the FOG server on a Linux Ubuntu.

Sebastian Roth

@george1421 said in Is it possible to connect to the Fog server remotely?:

If we find that the MTU is 1400 we can set the tftp block size just a bit smaller so the packets don’t fragment.

That would get you past the TFTP part but it would fail downloading the kernel and init over HTTP then I suppose.

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

Sebastian Roth

@PJB1983 This might be a quick win: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82444-fragmentation.html#enc-error

PJB1983

@sebastian-roth thx for your reply, but i doesn’t have a CLI on the Meraki Firewall. I have to contact support i guess.

george1421

@sebastian-roth I think our only option is to handle this on the tftp server size. I think the issue is packet fragmentation over UDP. I think we can set a maximum block size for the tftp server. What we need to do is set it at -64b from the MTU. I did find an example of it here: https://askubuntu.com/questions/644031/tftpd-hpa-how-can-i-set-blksize-option but I don’t know if ubuntu uses xinetd or something else.

@pjb1983 What version number of ubuntu? 20.04?

PJB1983

@george1421

Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04

george1421

@pjb1983 So following the link I provided did you try to reduce the maximum packet size to something below 1400 (the mtu)? Something like 1385 would be a start.

PJB1983

@george1421 i’ve changed the block size and rebooted the device.
But that did not solve the problem.
If i ask meraki support to increase the MTU for the site-to-site VPN, will that solve it?

PJB1983

@george1421 the answer from Meraki Support:

The two sites are using MTU 1432 size due to protocol overhead. This is the recommended value. The best option here is to adjust the MTU of the PXE. Increasing the MTU would result in an MTU greater than 1500 which may lead to fragmentation. Also, Meraki does not support Jumbo size MTU. Should you require further assistance, please do not hesitate to reach out to us asap.

george1421

@pjb1983 I could have almost predicted that. Changing the VPN MTU is not really an option.

So you updated the max size from the tftp server. Lets see what the tftp server is telling the target computer.

Lets use this tutorial but for the port capture just use port 69

https://forums.fogproject.org/topic/9673/when-dhcp-pxe-booting-process-goes-bad-and-you-have-no-clue

With the reduced max block size the tftp server should report the size you set in the configuration. You can review the pcap with wireshark.