PXE boot is failing when DHCP Server or Client is connected to NSX segment or DVPG
search cancel

PXE boot is failing when DHCP Server or Client is connected to NSX segment or DVPG

book

Article ID: 320299

calendar_today

Updated On: 02-27-2025

Products

VMware NSX VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention VMware NSX Firewall

Issue/Introduction

  • PXE clients are unable to complete the Preboot Execution Environment (PXE) boot process after receiving an IP address.
  • The DHCP client or server (such as a SCCM server) used for PXE boot is connected to an NSX segment or DVPG with a security-only installation.
  • The issue persists even after adding the PXE DHCP server to the DFW exclusion list.
  • PXE clients are typically stuck on the "Waiting for Approval" screen

Environment

VMware NSX - All versions

Cause

The issue occurs because the Segment Security Profile applied to the Segment or DVPG has the DHCP Server Block feature enabled.

The default Segment Security Profile for the NSX Segment or DVPG has the DHCP Server Block set to "Yes".

This setting blocks all traffic from DHCP servers to DHCP clients, which typically communicate over UDP port 68

This information was mentioned in NSX Administration guide.

Eg, for NSX 4.1, the information was noticed in the below public documentation page.

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/administration-guide/segments/segment-profiles/understanding-segment-security-segment-profile.html

Note that the default segment security profile has the DHCP settings Server Block and Server Block - IPv6 enabled.
This means that a segment that uses the default segment security profile will block traffic from a DHCP server to a DHCP client.
If you want a segment that allows DHCP server traffic, you must create a custom segment security profile for the segment.

However, as per Microsoft documentation - Understand PXE boot in Configuration Manager
The PXE process needs DHCP port 67 and 68 open between the client and PXE server.


Note: ProxyDHCP reply used by PXE uses UDP port 4011 as source and UDP 68 as destination. With DHCP server block enabled this traffic gets dropped.

Resolution

A customized segment security profile must be created by following the steps on the public page below. Ensure that the DHCP "Server Block" option is disabled, then apply the profile to the segment/DVPG connected to the PXE Configuration Manager.

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/administration-guide/segments/segment-profiles/understanding-segment-security-segment-profile/create-an-nsx-segment-security-segment-profile.html

From NSX User Interface - Networking > Segments > Segment Profiles > Segment Security



Note: If the issue persists after applying the new customized segment security profile, it may indicate a different underlying problem. In this case, please log a new service request through the Broadcom support portal.

Powered by Wolken Software