PXE UEFI boot problems

george1421 · Mar 13, 2018, 12:18 PM

@eazis Ok, when you use industry specific key words like ‘quarantine’, I wanted to make sure there wasn’t something more going on here than expected.

So for your business network, you want to do point to point (unicast) imaging only? If you want to do multicast imaging your router between the two subnets must support multicast routing.

OK to your initial question. The issue you have is your dhcp server on your business network doesn’t support dynamic boot files. If you want to pxe boot both uefi and bios (legacy mode) computers, your dhcp server needs to be smart enough to send the appropriate boot file based on the pxe booting client computer. In the case of the fog server, it uses isc-dhcp server which has a specific configuration to dynamically switch between the two boot files.

So if your dhcp server doesn’t support this you can use a ProxyDhcp server (like dnsmasq) to only supply the pxe booting information. This is not a dhcp server replacement (it can be, but not in this instance), but a dhcp add on function called ProxyDHCP. Where the dnsmasq server listens for a discover request from a pxe booting client and sends out a ProxyDHCP offer in addition to your primary dhcp server sending out a dhcp offer.

Dnsmasq (or any other ProxyDHCP service) can run on the fog server, or on a windows or linux box on your business network.

Eazis · Mar 13, 2018, 6:33 AM

@george1421 said in PXE UEFI boot problems:

@eazis Ok, when you use industry specific key words like ‘quarantine’, I wanted to make sure there wasn’t something more going on here than expected.

So for your business network, you want to do point to point (unicast) imaging only? If you want to do multicast imaging your router between the two subnets must support multicast routing.

OK to your initial question. The issue you have is your dhcp server on your business network doesn’t support dynamic boot files. If you want to pxe boot both uefi and bios (legacy mode) computers, your dhcp server needs to be smart enough to send the appropriate boot file based on the pxe booting client computer. In the case of the fog server, it uses isc-dhcp server which has a specific configuration to dynamically switch between the two boot files.

So if your dhcp server doesn’t support this you can use a ProxyDhcp server (like dnsmasq) to only supply the pxe booting information. This is not a dhcp server replacement (it can be, but not in this instance), but a dhcp add on function called ProxyDHCP. Where the dnsmasq server listens for a discover request from a pxe booting client and sends out a ProxyDHCP offer in addition to your primary dhcp server sending out a dhcp offer.

Dnsmasq (or any other ProxyDHCP service) can run on the fog server, or on a windows or linux box on your business network.

In the client network (business network) there are only clients for UEFI. So there is no need for BIOS (legacy).
I don’t need dynamic boot files on this network. So i thought if i change the filename to ipxe.efi then it will start in UEFI but this is only what i get

Checking Media Presence...
Media Present
Start PXE over IPv4.
Downloading NBP File...
Succeed to download NBP file

After this it goes to boot into Windows.

If i change the filename back to undionly.kkpxe and change the BIOS to non-UEFI it will start over PXE.

george1421 · Mar 13, 2018, 12:38 PM

@eazis ok lets collect a bit more info then.

What version of fog are you using?
What is the manufacturer and model of the target hardware.
Has the firmware been updated on the target hardware
(which probably should be #1) Have you disabled secure boot on the target computer?

What I find strange is that the iPXE kernel is not starting at all. This makes me think secure boot has not been disabled.

Eazis · Mar 13, 2018, 12:53 PM

@george1421

Fog version: 1.5.0
ASUS (EEE family) A4110
No firmware changes
Secure boot is disabled on target computer

When i connect this computer to the “quarantine network” it can boot from UEFI.
If i connect it back to the “client network” it can’t boot from UEFI…

george1421 · Mar 13, 2018, 1:05 PM

@eazis To rule out the workstation from this problem, if you (have you) moved a non-pxe booting computer from the business network to the imaging network and confirmed it boots into the iPXE menu?

We are missing something here iPXE should boot no matter what subnet. The next steps will be to get wireshark setup to capture some packets.

Eazis · Mar 13, 2018, 1:05 PM

@george1421

Yes indeed.
That’s the strange thing…it don’t boot into iPXE
If i do the following command on the “client network” in Windows it download succesfully the file

F:\>tftp -i 10.54.68.102 GET ipxe.efi
Transfer successful: 994176 bytes in 1 second(s), 994176 bytes/s

george1421 · Mar 13, 2018, 1:09 PM

@eazis Again to rule out the workstation, please test a non-functioning one from the business network on the imaging network. We have seen some systems with pretty cruddy uefi firmware that have been fixed with firmware updates. I want to rule out a hardware issue before going to packet capture.

Eazis · Mar 13, 2018, 1:12 PM

@george1421

There is no hardware issue, because if i rule out the workstation to the imaging network it boot into iPXE with UEFI

george1421 · Mar 13, 2018, 7:22 AM

@eazis Ok then, wireshark is the next steps, as well as tcpdump on the fog server.

On the fog server you will want to follow this guide: https://forums.fogproject.org/topic/9673/when-dhcp-pxe-booting-process-goes-bad-and-you-have-no-clue

In reality since your target computer is on another subnet, all you need is port 69 (tftp) the rest are dhcp and proxydhcp.

You will need a computer with wireshark loaded and on the same subnet as the non-pxe booting computer. Ideally this non-pxe booting computer should be on the same subnet as your main dhcp server. For wireshark you will want to run this capture filter port 67 or port 68

The process will be to start tcpdump on the fog server, then wireshark capture and then pxe boot a failing pxe boot system. As soon as the pxe boot system starts into windows then stop wireshark and then stop tcpdump. You can either review with wireshark or upload to a dropbox or google drive and I will review it. What we are looking for is the target system will send a dhcp discover packet. That packet will state the type of computer it is. Then your dhcp server should send out a dhcp offer. You should have only one offer from one dhcp server.

As for the pcap from the fog server, I’m interested in seeing the requested file is transferred completely.

Eazis · Mar 27, 2018, 3:31 PM

Sorry for the delay. I had some other problems to resolve.

Now the ASUS (EEE family) A4110 can boot from the PXE network. But i still have some clients with UEFI that can’t boot.
They have the following error:

Server IP address is 10.54.68.102
NBP filename is ipxe.efiÿ
NBP filesize is 0 Bytes
PXE-E23: Client recieved TFTP error from server

It looks like that this ÿ is wrong. Any suggestions to resolve this? I have included tcpdump on the following link.
http://www.eazis.com/output.pcap

Many thanks.

Sebastian Roth · Mar 27, 2018, 8:01 PM

@eazis said in PXE UEFI boot problems:

NBP filename is ipxe.efiÿ

Did you copy&paste the filename into the Unifi DHCP settings page? Maybe just clear the setting and re-type by hand to make sure there is no hidden character in that filename field. I can clearly see 0xff in the PCAP file… So either the Unifi DHCP is doing something really weird or there is a character in that field.

PXE UEFI boot problems

186

12.0k

17.3k

155.1k