Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PXE Boot DHCP Option 66 + 67 - Client falsely using the Firewall IP-Address as TFTP Server

I'm trying to copy a PXE Boot Optin from the DHCP Server of a UTM to Sophos XGS

The problem I face is, the Boot Client uses the IP-Address of the Firewall/DHCP Server as TFTP Server instead of the value provided in the Option 66 (Next Server)

I tried with GUI

and with CLI

system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname TFTP_Server_Name(66) value '172.16.1.2/bblefi-x64/shim_x64.efi'

console> system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname TFTP_Server_Name(66) value '172.16.1.2'
DHCP option TFTP_Server_Name(66) added for DHCP Server my-dhcpservername.

console> system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname Bootfile_Name(67) value '\bblefi-x64\shim_x64.efi'
DHCP option Bootfile_Name(67) added for DHCP Server my-dhcpservername.

console> system dhcp dhcp-options binding show dhcpname my-dhcpservername
Options Configured from GUI
---------------------------
xxx-removedbyauthor-xxx


Options Configured from CLI
---------------------------
TFTP_Server_Name(66)                                        "172.16.1.2"
Bootfile_Name(67)                                           "\\bblefi-x64\\shim_x64.efi"

and get the same result at the client:

192.168.32.1 is the sophos firewall

it should use 172.16.2.1 but it does not

172.16.2.1 is behind a IPSEC-VPN from the perspective of the Client.

That is the IP-Address of the Firewall that is also the DHCP Server.

Then I tested this - I found it in an other post here from Sophos Staff but with that value, the Client did not receive an IP Address at all. It already looks ugly.

console> system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname TFTP_Server_Name(66) value '172.16.1.2/bblefi-x64/shim_x64.efi'
DHCP option TFTP_Server_Name(66) added for DHCP Server my-dhcpservername.

console> system dhcp dhcp-options binding show dhcpname my-dhcpservername
Options Configured from GUI
---------------------------
xxx-removed-xxx
Options Configured from CLI
---------------------------
TFTP_Server_Name(66)                                        "172.16.1.2/bblefi-x64/shim_x64.efi"

In a tcp dump, it all looks fine so far - the offer includes the correct IP:

    Option: (54) DHCP Server Identifier (192.168.32.1)
        Length: 4
        DHCP Server Identifier: 192.168.32.1
    Option: (51) IP Address Lease Time
    Option: (1) Subnet Mask (255.255.255.128)
    Option: (3) Router
    Option: (6) Domain Name Server
    Option: (15) Domain Name
    Option: (66) TFTP Server Name
        Length: 13
        TFTP Server Name: 172.16.1.2
    Option: (67) Bootfile name
        Length: 23
        Bootfile name: bblefi-x64\shim_x64.efi
    Option: (255) End
        Option End: 255

But then the Client uses the Firewall IP again instead of the real Server IP in TFTP communication:

Any idea?



This thread was automatically locked due to age.
  • I tested a different XG firewall, an other Notebook Manufacturer (Lenovo this time) and let it PXE boot on a different XG-based Network/DHCP Server.

    Same issue - the Client is not using the TFTP Server specified on the XG Firewall DHCP Server, instead it uses the Gateway IP Address - the XG Firewall.

    192.168.9.193 is the IP of the XG in that subnet

    I was on a local subnet connected to the XG here, no VPN between the Client and the Server

    and that is the DHCP Server on XG:

  • and a full tcp dump as text for better readability

    Using username "admin".
    Authenticating with public key "rsa-key-20221205" from agent
    
    Sophos Firmware Version SFOS 19.0.1 MR-1-Build365
    
    Main Menu
    
        1.  Network  Configuration
        2.  System   Configuration
        3.  Route    Configuration
        4.  Device Console
        5.  Device Management
        6.  VPN Management
        7.  Shutdown/Reboot Device
        0.  Exit
    
        Select Menu Number [0-7]: 5
    
    Sophos Firmware Version SFOS 19.0.1 MR-1-Build365
    
    Device Management
    
        1.  Reset to Factory Defaults
        2.  Show Firmware(s)
        3.  Advanced Shell
        4.  Flush Device Reports
        0.  Exit
    
        Select Menu Number [0-4]: 3
    
    
    Sophos Firewall
    ===============
    (C) Copyright 2000-2022 Sophos Limited and others. All rights reserved.
    Sophos is a registered trademark of Sophos Limited and Sophos Group.
    All other product and company names mentioned are trademarks or registered
    trademarks of their respective owners.
    
    For Sophos End User Terms of Use - https://www.sophos.com/en-us/legal/sophos-end-user-terms-of-use.aspx
    
    NOTE: If not explicitly approved by Sophos support, any modifications
          done through this option will void your support.
    
    
    XG430_WP02_SFOS 19.0.1 MR-1-Build365# tcpdump -i xglaninterface -nv
    tcpdump: listening on xglaninterface, link-type EN10MB (Ethernet), capture size 262144 bytes
    11:38:54.318645 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38400, offset 0, flags [none], proto UDP (17), length 375)
        0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:46:b0:16:9b:40, length 347, xid 0x4123e46d, Flags [Broadcast]
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: Discover
                MSZ Option 57, length 2: 1472
                Parameter-Request Option 55, length 35:
                  Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
                  IEN-Name-Server, Domain-Name-Server, Hostname, BS
                  Domain-Name, RP, EP, RSZ
                  TTL, BR, YD, YS
                  NTP, Vendor-Option, Requested-IP, Lease-Time
                  Server-ID, RN, RB, Vendor-Class
                  TFTP, BF, GUID, Option 128
                  Option 129, Option 130, Option 131, Option 132
                  Option 133, Option 134, Option 135
                GUID Option 97, length 17: 0.235.111.184.245.185.41.237.17.139.20.184.111.233.104.44.113
                NDI Option 94, length 3: 1.3.16
                ARCH Option 93, length 2: 7
                Vendor-Class Option 60, length 32: "PXEClient:Arch:00007:UNDI:003016"
    11:38:54.318771 xglaninterface, OUT: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 359)
        192.168.9.193.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 331, xid 0x4123e46d, Flags [Broadcast]
              Your-IP 192.168.9.195
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: Offer
                Server-ID Option 54, length 4: 192.168.9.193
                Lease-Time Option 51, length 4: 84380
                Subnet-Mask Option 1, length 4: 255.255.255.248
                Default-Gateway Option 3, length 4: 192.168.9.193
                Domain-Name-Server Option 6, length 4: 192.168.9.193
                Domain-Name Option 15, length 14: "internaldomain.lan"
                TFTP Option 66, length 13: "172.16.1.2"
                BF Option 67, length 24: "\bblefi-x64\shim_x64.efi"
    11:38:54.979423 xglaninterface, IN: IP6 (hlim 1, next-header Options (0) payload length: 32) :: > ff02::1:ff16:9b40: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ff16:9b40
    11:38:55.065408 xglaninterface, IN: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) :: > ff02::1:ff16:9b40: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has fe80::e646:b0ff:fe16:9b40
    11:38:58.261333 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38401, offset 0, flags [none], proto UDP (17), length 387)
        0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:46:b0:16:9b:40, length 359, xid 0x4123e46d, Flags [Broadcast]
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: Request
                Server-ID Option 54, length 4: 192.168.9.193
                Requested-IP Option 50, length 4: 192.168.9.195
                MSZ Option 57, length 2: 65280
                Parameter-Request Option 55, length 35:
                  Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
                  IEN-Name-Server, Domain-Name-Server, Hostname, BS
                  Domain-Name, RP, EP, RSZ
                  TTL, BR, YD, YS
                  NTP, Vendor-Option, Requested-IP, Lease-Time
                  Server-ID, RN, RB, Vendor-Class
                  TFTP, BF, GUID, Option 128
                  Option 129, Option 130, Option 131, Option 132
                  Option 133, Option 134, Option 135
                GUID Option 97, length 17: 0.235.111.184.245.185.41.237.17.139.20.184.111.233.104.44.113
                NDI Option 94, length 3: 1.3.16
                ARCH Option 93, length 2: 7
                Vendor-Class Option 60, length 32: "PXEClient:Arch:00007:UNDI:003016"
    11:38:58.261524 xglaninterface, OUT: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 359)
        192.168.9.193.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 331, xid 0x4123e46d, Flags [Broadcast]
              Your-IP 192.168.9.195
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: ACK
                Server-ID Option 54, length 4: 192.168.9.193
                Lease-Time Option 51, length 4: 84376
                Subnet-Mask Option 1, length 4: 255.255.255.248
                Default-Gateway Option 3, length 4: 192.168.9.193
                Domain-Name-Server Option 6, length 4: 192.168.9.193
                Domain-Name Option 15, length 14: "internaldomain.lan"
                TFTP Option 66, length 13: "172.16.1.2"
                BF Option 67, length 24: "\bblefi-x64\shim_x64.efi"
    11:38:58.298483 xglaninterface, IN: ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.9.193 tell 192.168.9.195, length 46
    11:38:58.298495 xglaninterface, OUT: ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.9.193 is-at 00:10:cd:96:03:44, length 28
    11:38:58.324836 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38402, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1461 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:02.274138 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38403, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1461 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:04.311501 xglaninterface, IN: IP6 (hlim 1, next-header Options (0) payload length: 32) fe80::e646:b0ff:fe16:9b40 > ff02::1:ff16:9b40: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ff16:9b40
    11:39:06.286129 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38404, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1461 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:10.297022 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38405, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1461 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:14.310317 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38406, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1461 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:18.329369 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38407, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1461 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:22.343378 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38408, offset 0, flags [none], proto UDP (17), length 375)
        0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:46:b0:16:9b:40, length 347, xid 0x4123e46e, Flags [Broadcast]
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: Discover
                MSZ Option 57, length 2: 1472
                Parameter-Request Option 55, length 35:
                  Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
                  IEN-Name-Server, Domain-Name-Server, Hostname, BS
                  Domain-Name, RP, EP, RSZ
                  TTL, BR, YD, YS
                  NTP, Vendor-Option, Requested-IP, Lease-Time
                  Server-ID, RN, RB, Vendor-Class
                  TFTP, BF, GUID, Option 128
                  Option 129, Option 130, Option 131, Option 132
                  Option 133, Option 134, Option 135
                GUID Option 97, length 17: 0.235.111.184.245.185.41.237.17.139.20.184.111.233.104.44.113
                NDI Option 94, length 3: 1.3.16
                ARCH Option 93, length 2: 7
                Vendor-Class Option 60, length 32: "PXEClient:Arch:00007:UNDI:003016"
    11:39:22.343571 xglaninterface, OUT: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 359)
        192.168.9.193.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 331, xid 0x4123e46e, Flags [Broadcast]
              Your-IP 192.168.9.195
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: Offer
                Server-ID Option 54, length 4: 192.168.9.193
                Lease-Time Option 51, length 4: 84352
                Subnet-Mask Option 1, length 4: 255.255.255.248
                Default-Gateway Option 3, length 4: 192.168.9.193
                Domain-Name-Server Option 6, length 4: 192.168.9.193
                Domain-Name Option 15, length 14: "internaldomain.lan"
                TFTP Option 66, length 13: "172.16.1.2"
                BF Option 67, length 24: "\bblefi-x64\shim_x64.efi"
    11:39:26.341536 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38409, offset 0, flags [none], proto UDP (17), length 387)
        0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:46:b0:16:9b:40, length 359, xid 0x4123e46e, Flags [Broadcast]
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: Request
                Server-ID Option 54, length 4: 192.168.9.193
                Requested-IP Option 50, length 4: 192.168.9.195
                MSZ Option 57, length 2: 65280
                Parameter-Request Option 55, length 35:
                  Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
                  IEN-Name-Server, Domain-Name-Server, Hostname, BS
                  Domain-Name, RP, EP, RSZ
                  TTL, BR, YD, YS
                  NTP, Vendor-Option, Requested-IP, Lease-Time
                  Server-ID, RN, RB, Vendor-Class
                  TFTP, BF, GUID, Option 128
                  Option 129, Option 130, Option 131, Option 132
                  Option 133, Option 134, Option 135
                GUID Option 97, length 17: 0.235.111.184.245.185.41.237.17.139.20.184.111.233.104.44.113
                NDI Option 94, length 3: 1.3.16
                ARCH Option 93, length 2: 7
                Vendor-Class Option 60, length 32: "PXEClient:Arch:00007:UNDI:003016"
    11:39:26.341634 xglaninterface, OUT: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 359)
        192.168.9.193.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 331, xid 0x4123e46e, Flags [Broadcast]
              Your-IP 192.168.9.195
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: ACK
                Server-ID Option 54, length 4: 192.168.9.193
                Lease-Time Option 51, length 4: 84348
                Subnet-Mask Option 1, length 4: 255.255.255.248
                Default-Gateway Option 3, length 4: 192.168.9.193
                Domain-Name-Server Option 6, length 4: 192.168.9.193
                Domain-Name Option 15, length 14: "internaldomain.lan"
                TFTP Option 66, length 13: "172.16.1.2"
                BF Option 67, length 24: "\bblefi-x64\shim_x64.efi"
    11:39:26.371758 xglaninterface, IN: ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.9.193 tell 192.168.9.195, length 46
    11:39:26.371782 xglaninterface, OUT: ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.9.193 is-at 00:10:cd:96:03:44, length 28
    11:39:26.392125 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38410, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1462 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:30.367236 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38411, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1462 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:34.369871 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38412, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1462 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:38.381516 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38413, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1462 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:42.400655 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38414, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1462 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:46.407507 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38415, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1462 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:50.427162 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38416, offset 0, flags [none], proto UDP (17), length 375)
        0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:46:b0:16:9b:40, length 347, xid 0x4123e46f, Flags [Broadcast]
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: Discover
                MSZ Option 57, length 2: 1472
                Parameter-Request Option 55, length 35:
                  Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
                  IEN-Name-Server, Domain-Name-Server, Hostname, BS
                  Domain-Name, RP, EP, RSZ
                  TTL, BR, YD, YS
                  NTP, Vendor-Option, Requested-IP, Lease-Time
                  Server-ID, RN, RB, Vendor-Class
                  TFTP, BF, GUID, Option 128
                  Option 129, Option 130, Option 131, Option 132
                  Option 133, Option 134, Option 135
                GUID Option 97, length 17: 0.235.111.184.245.185.41.237.17.139.20.184.111.233.104.44.113
                NDI Option 94, length 3: 1.3.16
                ARCH Option 93, length 2: 7
                Vendor-Class Option 60, length 32: "PXEClient:Arch:00007:UNDI:003016"
    11:39:50.427246 xglaninterface, OUT: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 359)
        192.168.9.193.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 331, xid 0x4123e46f, Flags [Broadcast]
              Your-IP 192.168.9.195
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: Offer
                Server-ID Option 54, length 4: 192.168.9.193
                Lease-Time Option 51, length 4: 84324
                Subnet-Mask Option 1, length 4: 255.255.255.248
                Default-Gateway Option 3, length 4: 192.168.9.193
                Domain-Name-Server Option 6, length 4: 192.168.9.193
                Domain-Name Option 15, length 14: "internaldomain.lan"
                TFTP Option 66, length 13: "172.16.1.2"
                BF Option 67, length 24: "\bblefi-x64\shim_x64.efi"
    11:39:54.423764 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38417, offset 0, flags [none], proto UDP (17), length 387)
        0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:46:b0:16:9b:40, length 359, xid 0x4123e46f, Flags [Broadcast]
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: Request
                Server-ID Option 54, length 4: 192.168.9.193
                Requested-IP Option 50, length 4: 192.168.9.195
                MSZ Option 57, length 2: 65280
                Parameter-Request Option 55, length 35:
                  Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
                  IEN-Name-Server, Domain-Name-Server, Hostname, BS
                  Domain-Name, RP, EP, RSZ
                  TTL, BR, YD, YS
                  NTP, Vendor-Option, Requested-IP, Lease-Time
                  Server-ID, RN, RB, Vendor-Class
                  TFTP, BF, GUID, Option 128
                  Option 129, Option 130, Option 131, Option 132
                  Option 133, Option 134, Option 135
                GUID Option 97, length 17: 0.235.111.184.245.185.41.237.17.139.20.184.111.233.104.44.113
                NDI Option 94, length 3: 1.3.16
                ARCH Option 93, length 2: 7
                Vendor-Class Option 60, length 32: "PXEClient:Arch:00007:UNDI:003016"
    11:39:54.423856 xglaninterface, OUT: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 359)
        192.168.9.193.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 331, xid 0x4123e46f, Flags [Broadcast]
              Your-IP 192.168.9.195
              Client-Ethernet-Address e4:46:b0:16:9b:40
              Vendor-rfc1048 Extensions
                Magic Cookie 0x63825363
                DHCP-Message Option 53, length 1: ACK
                Server-ID Option 54, length 4: 192.168.9.193
                Lease-Time Option 51, length 4: 84320
                Subnet-Mask Option 1, length 4: 255.255.255.248
                Default-Gateway Option 3, length 4: 192.168.9.193
                Domain-Name-Server Option 6, length 4: 192.168.9.193
                Domain-Name Option 15, length 14: "internaldomain.lan"
                TFTP Option 66, length 13: "172.16.1.2"
                BF Option 67, length 24: "\bblefi-x64\shim_x64.efi"
    11:39:54.481994 xglaninterface, IN: ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.9.193 tell 192.168.9.195, length 46
    11:39:54.482006 xglaninterface, OUT: ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.9.193 is-at 00:10:cd:96:03:44, length 28
    11:39:54.528821 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38418, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1463 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:39:58.444911 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38419, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1463 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    11:40:02.459094 xglaninterface, IN: IP (tos 0x0, ttl 64, id 38420, offset 0, flags [none], proto UDP (17), length 95)
        192.168.9.195.1463 > 192.168.9.193.69:  67 RRQ "\bblefi-x64\shim_x64.efi" octet tsize 0 blksize 1468 windowsize 4
    ^C
    36 packets captured
    53 packets received by filter
    0 packets dropped by kernel
    XG430_WP02_SFOS 19.0.1 MR-1-Build365#

  • The poor user  here had the same issue after reading that thread:

     XG DHCP Options Not Working for PXE 

    he finally gave it up - what a pity

  • Hi  ,

    Good day and thanks for reaching out to Sophos Community and hope you are well. 

    I'm sorry you are facing this concern, It seems you have already referred to past threads and unable to work towards a resolution. I may recommend you to open a support ticket to have this further checked while replicating the issue. Kindly share to us the would be generated caseID via DM or by replying to this thread. 

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hey LHerzog,

    I just saw your response to my forum thread from above. I'm not able to reply on that thread, but yes, I did try many different path options on the XG of all different forms, with no luck. I tried a leading slash, trailing slash, no slashes, etc. All the same result, the PXE clients would list the XG interface as the destination server, time out, and the TFTP server never received the requests. Like you, I even verified through packet captures that the clients received their options 66/67 information in the DHCP offer.

    Something that I think is of value, is that I was also using Lenovo hardware in my scenario. I experienced the same issue as you posted in the screenshot above. My understanding of DHCP options is that they are not the most reliable way to PXE boot due to poor or inconsistent implementation from the hardware mfg side. Lenovo documentation does outline options 66/67 being relevant, but I never figured the issue out.

    If you end up not being able to get this to function, it should be possible for you to use iPXE (https://ipxe.org/start). With iPXE, you can customize your boot files for your TFTP address, boot from a USB key, and chainload over to your PXE server. I understand it's possible to automate this iPXE process so that you boot from USB and have it automatically go into PXE. I know it's not as convenient of a solution since it requires a physical USB for each machine, but certainly worth looking into if you can't figure out native PXE.

    For your sake, I hope you are able to find a solution. I ran out of patience after struggling with it for hours on end with no progress. With you in spirit!

  • this is the DHCP Offer from a windows DHCP Server which is working compared with the Offer of the XG DHCP Server

    PXE Boot works when we use a Windows DHCP Server. The XG does DHCP Relay to the Windows DHCP Server.

    You can see next server and boot file is not included in the XG DHCP server's offer.

    Looks very much like a bug to me - because on the XG Web Admin it's listed as "next server" and "boot file" explicitely but is not served. Served are only DHCP Options 66 and 67

  • created a new case for this topic

    06372787

  • Hello there,

    Thanks for providing this. This is currently being investigated and Engr will provide an update per his last sent email to you. 

    Kindly let us know if you need any further assistance from our end. 

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Just curious. Looking at those Dumps and the tcpdump above, why are they different? 

    In the tcpdumps above, you see the values given as expected. In your wireshark dump, you are not. 

    11:38:54.318771 xglaninterface, OUT: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 359)
    192.168.9.193.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 331, xid 0x4123e46d, Flags [Broadcast]
    Your-IP 192.168.9.195
    Client-Ethernet-Address e4:46:b0:16:9b:40
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Offer
    Server-ID Option 54, length 4: 192.168.9.193
    Lease-Time Option 51, length 4: 84380
    Subnet-Mask Option 1, length 4: 255.255.255.248
    Default-Gateway Option 3, length 4: 192.168.9.193
    Domain-Name-Server Option 6, length 4: 192.168.9.193
    Domain-Name Option 15, length 14: "internaldomain.lan"
    TFTP Option 66, length 13: "172.16.1.2"
    BF Option 67, length 24: "\bblefi-x64\shim_x64.efi"

    __________________________________________________________________________________________________________________

  • By the way, sometimes it helps to convert this to HEX and use the hex values:  How to enter special-characters like '&' to DHCP-option string-values ? 

    __________________________________________________________________________________________________________________