PXE-e18: Server response timeout

I was imaging some recently purchased machines with a Specops Deploy client, but no matter which machine we worked on, we would get a PXE-e18 timeout error.

No response from Windows Deployment server. All the boot files were present and there were no errors in the application log. We did however notice that the netbootGUID was changed from MAC to UUID – but that is as far as we got.

The DHCP server was on a different VLAN than the client, but we were able to image other machines in this particular office without a problem. The client was using DHCP scopes 66 and 67 which we removed. We added IP helpers to point the client to the DHCP and Deployment server but still there was a timeout.

Ran through a few other configurations such as toggling between legacy BIOS and UEFI with no luck.  We also made sure that the machine had the latest BIOS, which it did not, so we upgraded the BIOS to the latest version.  Unfortunately the machine still was unable to contact the Deployment server.

After hitting F8 during the boot process we noticed that the client was not getting an IP address. We tried a different ethernet wire, and still failed.

Finally, I asked him to try a different port on the actual switch – Voila! We were able to contact the Deployment server and image the machine. I had the network team on the call also so I asked them to run config DHCP command on the port that was failing. We noticed that they enabled DHCP snooping on this specific port. They did not set it up globally that is why other machines connected to the same switch in the office were able to image with no problem. I had them run no IP DHCP snooping (vlan #) which disabled snooping.  Note that this command will vary depending on the switch.  We were now able to deploy to machines connected to the original port that was initially failing.

DHCP snooping is a technique where you configure your switch to listen in on DHCP traffic and stop any malicious DHCP packets. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.

With PXE and DHCP being a broadcast, the switch presumed that the broadcast was from an unauthorized DHCP server and so it dropped the packet.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN, or a range of VLANs.

So if your client is unable to contact the Deployment server to download the boot file, and you have a switch between the client and Deployment server, verify that IP helpers are in place, check the ethernet wire, and try a different port to eliminate any hardware between the client and the Deployment server.

Good luck imaging!