PXE Boot Fails after 882 blocks transferred



I work for a company which uses Foreman for TFTP PXE boot. I’m relatively new to PXE boot. We are initiating a PXE boot w/ a UEFI file (first TFTP transfer). 882 blocks are ack’ed and sent between the PXE client and the Foreman TFTP server. Foreman sends the 883rd block but the client never receives it. The client is reachable via an IPSEC tunnel between two firewalls. The VPN hub sees that 883rd packet via Wireshark, but the VPN spoke never sees number 883.

PCAPs indicate the device proceeds past all DHCP steps successfully. What would cause the TFTP transfer to stop on the very last packet? The time between 872 packets is right at 52 seconds consistently. The timeouts on the firewalls are 180 seconds far beyond our PXE fail. Any suggestions would be GREATLY appreciated.

I stop reading right here. Do not use TFTP protocol, it is very unreliable. If you have UEFI, switch to UEFI HTTP Boot which avoids TFTP completely. Or switch to iPXE for VMs. You WILL suffer, we have heard ton of stories about TFTP.

We have users who provision servers in moving trains and ships, they had to avoid TFTP completely tho. In the worst case scenario, if your network can load 1MB iPXE, you can chainboot it via PXE and then continue with HTTP from there.

Edit: Alternatively, make a smart-proxy with TFTP in the LAN you want to provision in. That was the idea of smart proxy in the end.

Good luck!

We are running Smart Proxy. Our IPSEC endpoint has our Smart Proxy config’ed as a DHCP helper on the firewall interface. The Smart Proxy is remote from the remote endpoint perspective and it is also reachable from the remote site.

Can you deploy another smart proxy near to the client(s)?