Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 5087 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP Relaying via Sophos UTM - PXE Boot not possible

Bepo

Hello Community,

we have the following construct:

 

 

Our Sophos is a SG450 with Version: 9.510-5 

 

The Sophos Gateway routes the traffic for VLAN 144 and holds the interface on an link aggregation group.

From the link aggregation group the traffic is routed through a transfer network to our core switches (Transfer-Network via VLAN2101)

Our Core-Switches routes the traffic for VLAN 16 (Servernetwork). In this network is the PXE-Server hosted (10.46.16.40) and the DHCP-Server (10.46.16.8)

 

Now if we want to image a laptop via PXE Boot the Boot ends in the DHCP-Handshake at: DHCP Offer. No DHCP Request and Acknowledge is applied to the client. 

I know that if the DHCP-Server, TFTP-Server and Client in different VLANs/Subnets its not so easy with PXE Boot.

 

I analyzed the traffic while the client pc tries to boot up with tcpdump on the transfer network between firewall and core-switches:

 

TCPDump:

 

DHCP-Scope (MS DHCP-Server) Settings:

 

Interfaces on Sophos - DHCP-Relaying for Interface VLAN144:

 

 

ICMP-Settings in Firewall:

 

In the Firewall log there weren't any Drops. 

 

Core-Switch VLAN 2101 - ip helper-addresses

(Trk1-Trk2) --> LAG to Sophos

 

 

Core-Switch VLAN 144 - ip helper-addresses

 

The only idea that i have is that i dont relay the DHCP-Traffic for VLAN144 to the MS-DHCP-Servers.

Instead of this i could setup an DHCP-Server in the Sophos for VLAN 144 and set there the DHCP-Options,

with that the Client PC can find the TFTP-Server. 

 

Any ideas?

 

Thank so far! 

 

 

 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

     

    i think, that the problem is this message i saw today via tcpdump trace regarding an udp checksum error...

    The checksum error occur, if the Firewall redirect the DHCP-Discover-Broadcast from the DHCP-Client to the DHCP-Server. (physically Server 2016 hardware server)

     

    1. DHCP-Discover start from Client (VLAN144) 

    15:52:32.556257 f0:1f:af:0b:ee:89 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 594: vlan 144, p 0, ethertype IPv4, (tos 0x0, ttl 20, id 1, offset 0, flags [none], proto UDP (17), length 576)

        0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from f0:1f:af:0b:ee:89

     

    2. DHCP-Discover redirected to "10.46.0.70" (Transfer-Interface to Core-Switches) 

    15:52:32.556354 00:1a:8c:f0:b1:e8 > 00:00:5e:00:01:45, ethertype 802.1Q (0x8100), length 594: vlan 2101, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 49273, offset 0, flags [DF], proto UDP (17), length 576)

        10.46.0.70.67 > 10.46.16.8.67: [bad udp cksum 0x26e7 -> 0xa986!] BOOTP/DHCP, Request from f0:1f:af:0b:ee:89

     

    There is a UDP Checksum Error.

     

    3. DHCP-Offer from DHCP-Server back to Firewall

    15:52:32.556928 00:1f:28:36:0b:00 > 00:1a:8c:f0:b1:e8, ethertype 802.1Q (0x8100), length 390: vlan 2101, p 0, ethertype IPv4, (tos 0x0, ttl 127, id 32378, offset 0, flags [none], proto UDP (17), length 372)

        10.46.16.8.67 > 10.46.144.254.67: [udp sum ok] BOOTP/DHCP, Reply, length 344, xid 0xaf0bee89

     

     

    4. DHCP-Offer from Firewall back to DHCP-Client in VLAN144

    15:52:32.556997 00:1a:8c:f0:b1:e8 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 390: vlan 144, p 0, ethertype IPv4, (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 372)

        10.46.144.254.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 344, xid 0xaf0bee89, Flags [Broadcast] (0x8000)

              Your-IP 10.46.144.105

              Server-IP 10.46.16.8

              Gateway-IP 10.46.144.254

              Client-Ethernet-Address f0:1f:af:0b:ee:89

Reply
  • 0

    Hello,

     

    i think, that the problem is this message i saw today via tcpdump trace regarding an udp checksum error...

    The checksum error occur, if the Firewall redirect the DHCP-Discover-Broadcast from the DHCP-Client to the DHCP-Server. (physically Server 2016 hardware server)

     

    1. DHCP-Discover start from Client (VLAN144) 

    15:52:32.556257 f0:1f:af:0b:ee:89 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 594: vlan 144, p 0, ethertype IPv4, (tos 0x0, ttl 20, id 1, offset 0, flags [none], proto UDP (17), length 576)

        0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from f0:1f:af:0b:ee:89

     

    2. DHCP-Discover redirected to "10.46.0.70" (Transfer-Interface to Core-Switches) 

    15:52:32.556354 00:1a:8c:f0:b1:e8 > 00:00:5e:00:01:45, ethertype 802.1Q (0x8100), length 594: vlan 2101, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 49273, offset 0, flags [DF], proto UDP (17), length 576)

        10.46.0.70.67 > 10.46.16.8.67: [bad udp cksum 0x26e7 -> 0xa986!] BOOTP/DHCP, Request from f0:1f:af:0b:ee:89

     

    There is a UDP Checksum Error.

     

    3. DHCP-Offer from DHCP-Server back to Firewall

    15:52:32.556928 00:1f:28:36:0b:00 > 00:1a:8c:f0:b1:e8, ethertype 802.1Q (0x8100), length 390: vlan 2101, p 0, ethertype IPv4, (tos 0x0, ttl 127, id 32378, offset 0, flags [none], proto UDP (17), length 372)

        10.46.16.8.67 > 10.46.144.254.67: [udp sum ok] BOOTP/DHCP, Reply, length 344, xid 0xaf0bee89

     

     

    4. DHCP-Offer from Firewall back to DHCP-Client in VLAN144

    15:52:32.556997 00:1a:8c:f0:b1:e8 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 390: vlan 144, p 0, ethertype IPv4, (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 372)

        10.46.144.254.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 344, xid 0xaf0bee89, Flags [Broadcast] (0x8000)

              Your-IP 10.46.144.105

              Server-IP 10.46.16.8

              Gateway-IP 10.46.144.254

              Client-Ethernet-Address f0:1f:af:0b:ee:89

Children
  • 0 in reply to Bepo

    Appendix: 

    If the Client-PC boots with Windows, the Active Directory Authentication + DHCP + DNS is working fine for the laptop in VLAN 144.

    The TCPDUMP shows the following:

     

     

    17:07:24.242238 34:e6:d7:12:7b:d9 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 144, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 22414, offset 0, flags [none], proto UDP (17), length 328)

        0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 34:e6:d7:12:7b:d9, length 300, xid 0x4cf92dbd, Flags [none] (0x0000)

              Client-Ethernet-Address 34:e6:d7:12:7b:d9

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: Discover

                Client-ID Option 61, length 7: ether 34:e6:d7:12:7b:d9

                Requested-IP Option 50, length 4: 10.46.144.105

                Hostname Option 12, length 7: "DE14182"

                Vendor-Class Option 60, length 8: "MSFT 5.0"

                Parameter-Request Option 55, length 14:

                  Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name

                  Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server

                  Netbios-Node, Netbios-Scope, Option 119, Classless-Static-Route

                  Classless-Static-Route-Microsoft, Option 252


     

    17:07:24.242374 00:1a:8c:f0:b1:e8 > 00:00:5e:00:01:45, ethertype 802.1Q (0x8100), length 346: vlan 2101, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 6267, offset 0, flags [DF], proto UDP (17), length 328)

        10.46.0.70.67 > 10.46.16.8.67: [bad udp cksum 0x25ef -> 0xdd0d!] BOOTP/DHCP, Request from 34:e6:d7:12:7b:d9, length 300, hops 1, xid 0x4cf92dbd, Flags [none] (0x0000)

              Gateway-IP 10.46.144.254

              Client-Ethernet-Address 34:e6:d7:12:7b:d9

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: Discover

                Client-ID Option 61, length 7: ether 34:e6:d7:12:7b:d9

                Requested-IP Option 50, length 4: 10.46.144.105

                Hostname Option 12, length 7: "DE14182"

                Vendor-Class Option 60, length 8: "MSFT 5.0"

                Parameter-Request Option 55, length 14:

                  Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name

                  Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server

                  Netbios-Node, Netbios-Scope, Option 119, Classless-Static-Route

                  Classless-Static-Route-Microsoft, Option 252

     

     

    17:07:24.243221 00:1f:28:36:0b:00 > 00:1a:8c:f0:b1:e8, ethertype 802.1Q (0x8100), length 354: vlan 2101, p 0, ethertype IPv4, (tos 0x0, ttl 127, id 8251, offset 0, flags [none], proto UDP (17), length 336)

        10.46.16.8.67 > 10.46.144.254.67: [udp sum ok] BOOTP/DHCP, Reply, length 308, xid 0x4cf92dbd, Flags [none] (0x0000)

              Your-IP 10.46.144.105

              Server-IP 10.46.16.8

              Gateway-IP 10.46.144.254

              Client-Ethernet-Address 34:e6:d7:12:7b:d9

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: Offer

                Subnet-Mask Option 1, length 4: 255.255.255.0

                RN Option 58, length 4: 1800

                RB Option 59, length 4: 3150

                Lease-Time Option 51, length 4: 3600

                Server-ID Option 54, length 4: 10.46.16.8

                Default-Gateway Option 3, length 4: 10.46.144.254

                Domain-Name-Server Option 6, length 8: 10.46.16.8,10.46.16.2

                Domain-Name Option 15, length 16: "xx.local^@"

    17:07:24.243329 00:1a:8c:f0:b1:e8 > 34:e6:d7:12:7b:d9, ethertype 802.1Q (0x8100), length 354: vlan 144, p 0, ethertype IPv4, (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 336)

        10.46.144.254.67 > 10.46.144.105.68: [udp sum ok] BOOTP/DHCP, Reply, length 308, xid 0x4cf92dbd, Flags [none] (0x0000)

              Your-IP 10.46.144.105

              Server-IP 10.46.16.8

              Gateway-IP 10.46.144.254

              Client-Ethernet-Address 34:e6:d7:12:7b:d9

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: Offer

                Subnet-Mask Option 1, length 4: 255.255.255.0

                RN Option 58, length 4: 1800

                RB Option 59, length 4: 3150

                Lease-Time Option 51, length 4: 3600

                Server-ID Option 54, length 4: 10.46.16.8

                Default-Gateway Option 3, length 4: 10.46.144.254

                Domain-Name-Server Option 6, length 8: 10.46.16.8,10.46.16.2

                Domain-Name Option 15, length 16: xx.local^@

     

    17:07:24.243874 34:e6:d7:12:7b:d9 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 374: vlan 144, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 22415, offset 0, flags [none], proto UDP (17), length 356)

        0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 34:e6:d7:12:7b:d9, length 328, xid 0x4cf92dbd, Flags [none] (0x0000)

              Client-Ethernet-Address 34:e6:d7:12:7b:d9

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: Request

                Client-ID Option 61, length 7: ether 34:e6:d7:12:7b:d9

                Requested-IP Option 50, length 4: 10.46.144.105

                Server-ID Option 54, length 4: 10.46.16.8

                Hostname Option 12, length 7: "DE14182"

                FQDN Option 81, length 26: "DE14182.xx.local"

                Vendor-Class Option 60, length 8: "MSFT 5.0"

                Parameter-Request Option 55, length 14:

                  Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name

                  Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server

                  Netbios-Node, Netbios-Scope, Option 119, Classless-Static-Route

                  Classless-Static-Route-Microsoft, Option 252

     


     

    16:55:41.222253 00:1a:8c:f0:b1:e8 > 00:00:5e:00:01:45, ethertype 802.1Q (0x8100), length 368: vlan 2101, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 55616, offset 0, flags [DF], proto UDP (17), length 350)

        10.46.0.70.67 > 10.46.16.8.67: [bad udp cksum 0x2605 -> 0x344a!] BOOTP/DHCP, Request from 34:e6:d7:12:7b:d9, length 322, hops 1, xid 0xb0933eea, Flags [none] (0x0000)

              Gateway-IP 10.46.144.254

              Client-Ethernet-Address 34:e6:d7:12:7b:d9

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: Request

                Client-ID Option 61, length 7: ether 34:e6:d7:12:7b:d9

                Requested-IP Option 50, length 4: 10.46.144.105

                Hostname Option 12, length 7: "DE14182"

                FQDN Option 81, length 26: "DE14182.xx.local"

                Vendor-Class Option 60, length 8: "MSFT 5.0"

                Parameter-Request Option 55, length 14:

                  Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name

                  Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server

                  Netbios-Node, Netbios-Scope, Option 119, Classless-Static-Route

                  Classless-Static-Route-Microsoft, Option 252

     

    16:55:41.223408 00:1f:28:36:0b:00 > 00:1a:8c:f0:b1:e8, ethertype 802.1Q (0x8100), length 359: vlan 2101, p 0, ethertype IPv4, (tos 0x0, ttl 127, id 19672, offset 0, flags [none], proto UDP (17), length 341)

        10.46.16.8.67 > 10.46.144.254.67: [udp sum ok] BOOTP/DHCP, Reply, length 313, xid 0xb0933eea, Flags [none] (0x0000)

              Your-IP 10.46.144.105

              Gateway-IP 10.46.144.254

              Client-Ethernet-Address 34:e6:d7:12:7b:d9

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: ACK

                RN Option 58, length 4: 14400

                RB Option 59, length 4: 25200

                Lease-Time Option 51, length 4: 28800

                Server-ID Option 54, length 4: 10.46.16.8

                Subnet-Mask Option 1, length 4: 255.255.255.0

                FQDN Option 81, length 3: 255/255 ""

                Default-Gateway Option 3, length 4: 10.46.144.254

                Domain-Name-Server Option 6, length 8: 10.46.16.8,10.46.16.2

                Domain-Name Option 15, length 16: "xx.local^@"

    16:55:41.223479 00:1a:8c:f0:b1:e8 > 34:e6:d7:12:7b:d9, ethertype 802.1Q (0x8100), length 359: vlan 144, p 0, ethertype IPv4, (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 341)

        10.46.144.254.67 > 10.46.144.105.68: [udp sum ok] BOOTP/DHCP, Reply, length 313, xid 0xb0933eea, Flags [none] (0x0000)

              Your-IP 10.46.144.105

              Gateway-IP 10.46.144.254

              Client-Ethernet-Address 34:e6:d7:12:7b:d9

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: ACK

                RN Option 58, length 4: 14400

                RB Option 59, length 4: 25200

                Lease-Time Option 51, length 4: 28800

                Server-ID Option 54, length 4: 10.46.16.8

                Subnet-Mask Option 1, length 4: 255.255.255.0

                FQDN Option 81, length 3: 255/255 ""

                Default-Gateway Option 3, length 4: 10.46.144.254

                Domain-Name-Server Option 6, length 8: 10.46.16.8,10.46.16.2

                Domain-Name Option 15, length 16: xx.local^@

     

    => There is also a Checksum Error - But the Client get an ACK-Paket from DHCP-Server. Via PXE Boot there isn't a REQUEST and ACK-Traffic of the DHCP-Handshake!

Unfiltered HTML