UEFI pxe boot problem from a network

lebrun78

Hello
My machines can’t start with pxe over uefi from one vlan but works fine from an other vlan.
I have no problem with bios legacy pxe boot
I can’t understand the reason why ?
here the dhcpd.conf file:

# 
# dhcpd.conf  
#
ddns-update-style standard;
authoritative;

#log-facility local7;
set vendor-string = option vendor-class-identifier;
log (info, option vendor-class-identifier);

include "/etc/dhcp/vip.conf";

subnet 148.60.0.0 netmask 255.255.248.0 {
##########################################
option domain-name-servers 148.60.15.109,148.60.15.106 ;
option domain-name "istic.univ-rennes1.fr" ;
option routers 148.60.7.254 ;
option subnet-mask 255.255.248.0 ;
default-lease-time 2592000 ;
max-lease-time 5184000 ;

pool {
                allow members of "vip";
                range 148.60.7.200 148.60.7.230;
}

group {
        next-server 148.60.4.1;

class "Legacy" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00000";
        filename "undionly.kkpxe";
    }
    class "UEFI-32-2" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00002";
        filename "i386-efi/ipxe.efi";
    }
    class "UEFI-32-1" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00006";
        filename "i386-efi/ipxe.efi";
    }
    class "UEFI-64-1" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00007";
        filename "ipxe.efi";
    }
    class "UEFI-64-2" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00008";
        filename "ipxe.efi";
    }
    class "UEFI-64-3" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00009";
        filename "ipxe.efi";
    }

host admin01 { hardware ethernet 7**d:cf; fixed-address admin01; option Host-name "admin01";} # 
host admin02 { hardware ethernet b8:85**a; fixed-address admin02; option Host-name "admin02";} # proto windows salles istic
#host admin04 { hardware ethernet 74**; fixed-address admin04; option Host-name "admin04";} #AIO Dell 9030
host admin05 { hardware ethernet d8:** fixed-address admin05; option Host-name "admin05";} # HP8100 AIO
host admin07 { hardware ethernet c**; fixed-address admin07; option Host-name "admin07";} # AIO Dell 9030
           
# marque debut pour dhcp-vm vlan 2, pas touche SVP.
# marque fin pour dhcp-vm vlan 2, pas touche SVP.
}

subnet 148.60.10.0 netmask 255.255.255.0 {
##########################################
option domain-name-servers 148.60.15.109,148.60.15.106 ;
option domain-name "istic.univ-rennes1.fr" ;
option routers 148.60.10.254 ;
option subnet-mask 255.255.255.0 ;
default-lease-time 600 ;
max-lease-time 1200 ;

group {
# On commente les deux lignes suivantes pour éviter le menu de Fog
        next-server 148.60.4.1;

class "Legacy" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00000";
        filename "undionly.kkpxe";
    }
    class "UEFI-32-2" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00002";
        filename "i386-efi/ipxe.efi";
    }
    class "UEFI-32-1" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00006";
        filename "i386-efi/ipxe.efi";
    }
    class "UEFI-64-1" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00007";
        filename "ipxe.efi";
    }
    class "UEFI-64-2" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00008";
        filename "ipxe.efi";
    }
    class "UEFI-64-3" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00009";
        filename "ipxe.efi";
    }
host arrakis { hardware ethernet 0***FA; fixed-address arrakis; option Host-name "arrakis";} # Gx360 Gentoo AD
host admin11 { hardware ethernet 9c****:ca; fixed-address admin11; option Host-name "admin11";} #linux test 8300 AD
host brisbane { hardware ethernet 00:2****c9; fixed-address brisbane; option Host-name "brisbane";} # Windows SA

# marque fin pour dhcp-vm vlan 10, pas touche SVP.
        pool {
                deny members of "telephones-ip";
                range 148.60.10.180 148.60.10.220;
                next-server 148.60.15.121;
                filename "pxelinux.0";
        }

        ####################################################
        # pool d'adresse dynamique reserve aux telephones IP
        # testsip
        pool {
                allow members of "telephones-ip";
                range 148.60.10.224 148.60.10.239; #
        }
}

}

The problem is for the subnet 148.60.10.0/24
With tcpdump, I don’t capture any packet on 148.60.4.1 fog server from the booting 148.60.10.193 machine
I have no firewall working on my fog server.
I have no access rules from 148.60.10.0 vlan to 148.60.4.0 vlan
Could you help me

george1421

This is strange. This is the second issue we have relating to pxe booting not working for uefi but working for bios.

What error are you seeing on the target computer when pxe booting in uefi mode?

lebrun78

No bootable device found

Sebastian Roth

@lebrun78 Well than it doesn’t receive PXE boot information at all. Can you take one of those machines and put it into the other VLAN. Does it PXE boot??? Just want to make sure this is not a model specific issue.

lebrun78

@Sebastian-Roth Yes, if I change vlan, it works…

lebrun78

@Sebastian-Roth Fog server is on the vlan where boot uefi pxe works

Sebastian Roth

@lebrun78 Please post output of the two commands: ip a s and ip r s

lebrun78

@Sebastian-Roth said in UEFI pxe boot problem from a network:

ip a s

root@fogus ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens2f0np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether b0:26:28:78:ce:d0 brd ff:ff:ff:ff:ff:ff
    inet 148.60.4.1/21 brd 148.60.7.255 scope global noprefixroute ens2f0np0
       valid_lft forever preferred_lft forever
    inet6 fe80::b226:28ff:fe78:ced0/64 scope link 
       valid_lft forever preferred_lft forever
3: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 4c:d9:8f:8e:41:0f brd ff:ff:ff:ff:ff:ff
4: ens2f1np1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether b0:26:28:78:ce:d1 brd ff:ff:ff:ff:ff:ff
5: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 4c:d9:8f:8e:41:10 brd ff:ff:ff:ff:ff:ff
6: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:1e:69:b9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
7: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:1e:69:b9 brd ff:ff:ff:ff:ff:ff

ip r s
default via 148.60.7.254 dev ens2f0np0 proto static metric 102 
148.60.0.0/21 dev ens2f0np0 proto kernel scope link src 148.60.4.1 metric 102 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 

lebrun78

My fog server is not dhcp server

Sebastian Roth

@lebrun78 said in UEFI pxe boot problem from a network:

My fog server is not dhcp server

Then you might post the output of the same commands for the DHCP server.

lebrun78

@Sebastian-Roth

[root@sybille2 ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 50:9a:4c:82:50:7d brd ff:ff:ff:ff:ff:ff
    inet 148.60.15.109/24 brd 148.60.15.255 scope global noprefixroute em1
       valid_lft forever preferred_lft forever
    inet6 fe80::529a:4cff:fe82:507d/64 scope link 
       valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 50:9a:4c:82:50:7e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::529a:4cff:fe82:507e/64 scope link 
       valid_lft forever preferred_lft forever
4: em2.14@em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:9a:4c:82:50:7e brd ff:ff:ff:ff:ff:ff
    inet 148.60.14.252/24 brd 148.60.14.255 scope global noprefixroute em2.14
       valid_lft forever preferred_lft forever
    inet6 fe80::529a:4cff:fe82:507e/64 scope link 
       valid_lft forever preferred_lft forever
5: em2.2@em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:9a:4c:82:50:7e brd ff:ff:ff:ff:ff:ff
    inet 148.60.4.3/21 brd 148.60.7.255 scope global noprefixroute em2.2
       valid_lft forever preferred_lft forever
    inet6 fe80::529a:4cff:fe82:507e/64 scope link 
       valid_lft forever preferred_lft forever
6: em2.11@em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:9a:4c:82:50:7e brd ff:ff:ff:ff:ff:ff
    inet 148.60.11.249/24 brd 148.60.11.255 scope global noprefixroute em2.11
       valid_lft forever preferred_lft forever
    inet6 fe80::529a:4cff:fe82:507e/64 scope link 
       valid_lft forever preferred_lft forever
7: em2.3@em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:9a:4c:82:50:7e brd ff:ff:ff:ff:ff:ff
    inet 129.20.15.252/24 brd 129.20.15.255 scope global noprefixroute em2.3
       valid_lft forever preferred_lft forever
    inet6 fe80::529a:4cff:fe82:507e/64 scope link 
       valid_lft forever preferred_lft forever
8: em2.10@em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:9a:4c:82:50:7e brd ff:ff:ff:ff:ff:ff
    inet 148.60.10.252/24 brd 148.60.10.255 scope global noprefixroute em2.10
       valid_lft forever preferred_lft forever
    inet6 fe80::529a:4cff:fe82:507e/64 scope link 
       valid_lft forever preferred_lft forever
9: em2.13@em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:9a:4c:82:50:7e brd ff:ff:ff:ff:ff:ff
    inet 148.60.13.249/24 brd 148.60.13.255 scope global noprefixroute em2.13
       valid_lft forever preferred_lft forever
    inet6 fe80::529a:4cff:fe82:507e/64 scope link 
       valid_lft forever preferred_lft forever
10: em2.12@em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:9a:4c:82:50:7e brd ff:ff:ff:ff:ff:ff
    inet 148.60.12.252/24 brd 148.60.12.255 scope global noprefixroute em2.12
       valid_lft forever preferred_lft forever
    inet6 fe80::529a:4cff:fe82:507e/64 scope link 
       valid_lft forever preferred_lft forever

[root@sybille2 ~]# ip r s
default via 148.60.15.254 dev em1 proto static metric 100 
129.20.15.0/24 dev em2.3 proto kernel scope link src 129.20.15.252 metric 406 
148.60.0.0/21 dev em2.2 proto kernel scope link src 148.60.4.3 metric 400 
148.60.10.0/24 dev em2.10 proto kernel scope link src 148.60.10.252 metric 403 
148.60.11.0/24 dev em2.11 proto kernel scope link src 148.60.11.249 metric 402 
148.60.12.0/24 dev em2.12 proto kernel scope link src 148.60.12.252 metric 404 
148.60.13.0/24 dev em2.13 proto kernel scope link src 148.60.13.249 metric 405 
148.60.14.0/24 dev em2.14 proto kernel scope link src 148.60.14.252 metric 401 
148.60.15.0/24 dev em1 proto kernel scope link src 148.60.15.109 metric 100

lebrun78

@george1421
Here is the dhcp extracted log for the not working sequence:

Mar  9 16:43:36 sybille2 dhcpd: PXEClient:Arch:00007:UNDI:003016
Mar  9 16:43:36 sybille2 dhcpd: DHCPDISCOVER from 10:65:30:83:5c:4b via em2.10
Mar  9 16:43:36 sybille2 dhcpd: DHCPOFFER on 148.60.10.140 to 10:65:30:83:5c:4b via em2.10
Mar  9 16:43:39 sybille2 dhcpd: PXEClient:Arch:00007:UNDI:003016
Mar  9 16:43:39 sybille2 dhcpd: DHCPREQUEST for 148.60.10.140 (148.60.10.252) from 10:65:30:83:5c:4b via em2.10
Mar  9 16:43:39 sybille2 dhcpd: DHCPACK on 148.60.10.140 to 10:65:30:83:5c:4b via em2.10

george1421

@lebrun78 Sorry I was not clear. From the target computer side, how do you know it didn’t work. Did you get a PXE-XXXX error?

lebrun78

@george1421
Sorry No error on the dell lattude 5900 laptop on booting except “No bootable media found”

lebrun78

@george1421
Do you have an example for a more wordy client ? I use libvirt for virtualisation, but I think it does not support uefi pxe boot.

george1421

@lebrun78 ok I think what we will need next is to have you install wireshark on a witness (extra) computer and use the capture filter of udp.port 67 or udp.port 68 Lets see what your dhcp server is telling that target computer to boot in uefi mode.

lebrun78

How could I have a witness ?

george1421

@lebrun78 said in UEFI pxe boot problem from a network:

How could I have a witness ?

Yes I was concerned that the name would not translate good.

What I meant is to have an extra computer plugged into the same subnet as the one that will not pxe boot in uefi mode. On this extra computer load wireshark (free program) and set the capture filter to what I said, so that it only sees the dhcp packets from your dhcp server. This will give us an idea where the problem is. If you save the pcap file (output from wireshark) to an internet file share site, then post the link here I will look at it quickly to see what is the pxe booting client being told.

Sebastian Roth

@lebrun78 said in UEFI pxe boot problem from a network:

Mar 9 16:43:36 sybille2 dhcpd: PXEClient:Arch:00007:UNDI:003016
Mar 9 16:43:36 sybille2 dhcpd: DHCPDISCOVER from 10:65:30:83:5c:4b via em2.10
Mar 9 16:43:36 sybille2 dhcpd: DHCPOFFER on 148.60.10.140 to 10:65:30:83:5c:4b via em2.10
Mar 9 16:43:39 sybille2 dhcpd: PXEClient:Arch:00007:UNDI:003016
Mar 9 16:43:39 sybille2 dhcpd: DHCPREQUEST for 148.60.10.140 (148.60.10.252) from 10:65:30:83:5c:4b via em2.10
Mar 9 16:43:39 sybille2 dhcpd: DHCPACK on 148.60.10.140 to 10:65:30:83:5c:4b via em2.10

We are sure the MAC is the one from the UEFI machine not properly PXE booting? Just want to make sure. If it is we do know the DHCP handshake is actually happening.

Looking through the config again I had the idea that maybe naming the classes all the same might be causing the issue. Though this doesn’t explain why only UEFI PXE boot is failing. Still you might want to change the names for one of the groups.

Other than that we’d need to get a packet dump from the DHCP information as suggested by George. You should be able to capture in the command line with a filter: tcpdump -w /tmp/foo.pcap ether host 10:65:30:83:5c:4b

Upload the pcap to a fileshare and post a link here.

lebrun78

@Sebastian-Roth said in UEFI pxe boot problem from a network:

Looking through the config again I had the idea that maybe naming the classes all the same might be causing the issue. Though this doesn’t explain why only UEFI PXE boot is failing. Still you might want to change the names for one of the groups.

Which parameter should I change in the class declaration ?