Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  DHCP Relay not working as expected

    Posted 03-23-2013 12:19

    I've got a bit of an odd issue, that I've hit a wall trying to diagnose.

    I have a EX3200 which has multiple RVI VLANS implemented on it, then a firewall trunked from it - with a few more VLANS. A PXE server is behind the firewall on vlan.4003

     The PXE server has the IP 10.2.4.3 and can be pinged from any VLAN on the EX3200.
    Files from the TFTP daemon can also be downloaded from any VLAN on the EX3200.
    The firewall is disabled for the purpose of testing and all ACLs are disabled on the EX3200.

     

    forwarding-options {
        helpers {
            bootp {
                server 10.2.4.3;
                interface {
                    vlan.32;
                }
            }
        }
    }

    When I boot up a server on any other VLAN - the idea is that the NIC will PXE boot from the PXE server.

    A DHCP request is sent (via the L3 interface on the VLAN) to the DHCP server. The server gets this request and assigns an IP.

    Then the PXE boot requests the TFTP file (pxelinux.0). However, this just times out

     

    PXE-E32: TFTP open timeout


     

    Looking at the corresponing logs on the PXE server, you can see the request:
     

    Mar 23 19:01:50 pxe1 in.tftpd[32490]: RRQ from 192.168.1.5 filename pxelinux.0
    Mar 23 19:01:51 pxe1 in.tftpd[32491]: RRQ from 192.168.1.5 filename pxelinux.0
    Mar 23 19:01:52 pxe1 in.tftpd[32492]: RRQ from 192.168.1.5 filename pxelinux.0


    Then tcpdump'ing the interface on the PXE server
     

    19:14:26.398898 IP 10.2.4.3 > 192.168.1.5: ICMP 10.2.4.3 udp port 37802 unreachable, length 40


    So it is clear the PXE server can't access the client. Attempting a ping confirms this - the 192.168.1.5 address does not respond to ICMP.

    So checking the routes on the EX3200
     

    show routes
    ...
    192.168.0.0/24    *[Direct/0] 16:41:43
                          > via vlan.32


    So the route clearly exists on the EX3200 - so then I checked the ARP table

     

    MAC Address       Address        Name            Interface           Flags
    00:00:xx:xx:xx:xx 192.168.1.5        192.168.1.5          vlan.32          none


    And that also exists.

     So everything looks fine, the DHCP server assigns an IP, the client server requests the PXE file - but the PXE server can't actually communicate with the client, nor can the EX3200 that is directly connected.

     Its worth stating that if I just boot the normal OS on the client - all routing works perfect. It can ping the PXE server and vice versa without issue.

     What on earth is going on?



  • 2.  RE: DHCP Relay not working as expected

     
    Posted 03-23-2013 14:40
    The interface specification in the bootp stanza is the source of the request, not destination.

    set forwarding-options helpers bootp interface vlan.32

    I also specify the server in the interface stanza for good measure, habit from early srx bugs.

    set forwarding-options helpers bootp interface vlan.32 server 10.2.4.3




  • 3.  RE: DHCP Relay not working as expected

    Posted 03-23-2013 17:13

    @smicker

     

    Thanks for the reply. I had actually typo'ed when re-keying the config above, in my lab, its got vlan.32 specified.

     

    I did also try explicitly stating the server per vlan too (like you described) - but that didn't change anything.

     

    I found that by setting the vlan either incorrectly or setting the wrong server IP - would prevent a DHCP assignment altogether; so I think that can definately be ruled out.

     

    I'm going to put both the client and PXE machine in the same VLAN just to rule out software configuration.



  • 4.  RE: DHCP Relay not working as expected

     
    Posted 03-23-2013 19:48
    If the pxe server is also the dhcp server then yes that is strange. It sounds like something on the srx is blocking return traffic. Perhaps verify session flows in both directions, or debug traffic flow on the srx?


  • 5.  RE: DHCP Relay not working as expected

    Posted 03-24-2013 04:50
    Nothing *should* be blocking traffic.

    I can verify this by booting up the local OS on the client machine. Then running similar tests.

    Ping in both directions works.
    A manual TFTP get from the client works.

    --

    But when the IP is assigned via DHCP during PXE boot, the pxe server can't communicate with the client properly.


  • 6.  RE: DHCP Relay not working as expected

    Posted 03-24-2013 11:09

    So, I put both machines on the same VLAN and it PXE booted normally - without issue.

     

    I put the client back into its own VLAN and it timed out during the TFTP fetch again.

     

    --

     

    Its worth noting that I cannot ping the DHCP assigned IP from the EX.

     

    Again, if I boot a normal OS on the client system - the EX can ping it, the PXE server can ping it etc.

     

    --

     

    So now I tried putting the PXE server in a VLAN with a L3 interface on the EX (rather than on the firewall). And it immediately worked.

     

    So its either the firewall itself (PfSense), or an issue between the EX and firewall.

     

    --

     

     

    Does it make a difference if the client is on a VLAN on the EX with a L3 interface - but the PXE server is on a firewall with a L3 interface



  • 7.  RE: DHCP Relay not working as expected
    Best Answer

    Posted 03-24-2013 14:45

    Juniper: 1

    pfSense: 1

    ben_uk: 0

     

    Turns out, everything was configured perfectly in the first instance apart from one NAT rule on the firewall that allowed outbound internet access for the 10.2.4.0/24 subnet - turns out that was breaking the PXE server.