PXE boot hangs on Waiting for Approval

In this post I will talk about an issue that can occur during the boot process via PXE on Configuration Manager environment.

After we started the boot process on an unknown device, the procedure was stuck on:

Configuration Manager is looking for policy
Waiting for approval

Figure 1 – PXE Boot

and we cannot did any operation on them.

The scenario consists of a Windows Server 2019 virtual machine on a VMware host (remember this information) where the Primary Site and Distribution Point roles are installed and the PXE role has been activated on the same server with the following settings:

Figure 2 – Configuration Manager PXE configuration

Troubleshooting

After some research on the PXE logs, the issue seemed to be related to a network issue since that the communication was truncated after transferring the smsboot\x64\bootmgfw.efi file. We checked all Configuration Manager related configuration, IPHelper configuration (no DHCP options because no longer supported) and routing configuration (no ACL) but we did not find anything problematic.

At this point, through the use of Microsoft Network Monitor, we have collected a network trace and, after examining the network capture, we saw that the TFTP packets were correctly sent to the client, the communication between client and server occurred without any blocking but at the end the last DHCPREPLY sent by the Configuration Manager server was not received by the client.

For more information on the PXE boot process, refer to the following Microsoft article.

At this point we focused on the features that could block this type of communication. For example, DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure; DHCP snooping can be configured on LAN switches to exclude rogue DHCP servers and remove malicious or malformed DHCP traffic.

Resolution

To solve the issue, we initially verified that the DHCP snooping functionality was not enabled on the network switches and disable this functionality on the Virtual Switch on the VMware side.

Finally, always on VMware side, some changes have been made because by default NSX blocks servers from getting or replying with DHCP requests; to enable it, we created a new “Segment Security Policy” profile on NSX and we disabled the DHCP Server Block option; after creating the new profile, it has been associated with the network segment on which the client VLAN is associated. 

In summary, these are the operations to be performed:

  • Check and if necessary disable DHCP snooping functionality on the port of switch to which the PXE server is connected;
  • Check and if necessary disable DHCP snooping functionality on the Virtual Switch on hypervisor side;
  • Check and if necessary disable DHCP Server Block on the Virtual Switch on hypervisor side;

One thought on “PXE boot hangs on Waiting for Approval

  1. Thanks Davide! This pointed us in the right direction when we couldn’t find any other solution and had rebuilt most of our OSD infrastructure. We recently implemented NSX and hadn’t tried any PXE OSD until now.
    For us, we only needed to create a policy in NSX to disable the DHCP Server Block and applied it to the PXE server logical switch port only. We have DHCP snooping still enabled.
    Thanks again!
    Derek

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: