In this post I will talk about an issue that can occur during the boot process via PXE on Configuration Manager environment.
After we started the boot process on an unknown device, the procedure was stuck on:
Configuration Manager is looking for policy
Waiting for approval
and we cannot did any operation on them.
The scenario consists of a Windows Server 2019 virtual machine on a VMware host (remember this information) where the Primary Site and Distribution Point roles are installed and the PXE role has been activated on the same server with the following settings:
After some research on the PXE logs, the issue seemed to be related to a network issue since that the communication was truncated after transferring the smsboot\x64\bootmgfw.efi file. We checked all Configuration Manager related configuration, IPHelper configuration (no DHCP options because no longer supported) and routing configuration (no ACL) but we did not find anything problematic.
At this point, through the use of Microsoft Network Monitor, we have collected a network trace and, after examining the network capture, we saw that the TFTP packets were correctly sent to the client, the communication between client and server occurred without any blocking but at the end the last DHCPREPLY sent by the Configuration Manager server was not received by the client.
For more information on the PXE boot process, refer to the following Microsoft article.
At this point we focused on the features that could block this type of communication. For example, DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure; DHCP snooping can be configured on LAN switches to exclude rogue DHCP servers and remove malicious or malformed DHCP traffic.
To solve the issue, we initially verified that the DHCP snooping functionality was not enabled on the network switches and disable this functionality on the Virtual Switch on the VMware side.
Finally, always on VMware side, some changes have been made because by default NSX blocks servers from getting or replying with DHCP requests; to enable it, we created a new “Segment Security Policy” profile on NSX and we disabled the DHCP Server Block option; after creating the new profile, it has been associated with the network segment on which the client VLAN is associated.
In summary, these are the operations to be performed:
- Check and if necessary disable DHCP snooping functionality on the port of switch to which the PXE server is connected;
- Check and if necessary disable DHCP snooping functionality on the Virtual Switch on hypervisor side;
- Check and if necessary disable DHCP Server Block on the Virtual Switch on hypervisor side;