pxeboot(8) NFS code breaks PIX/ASA policy
Brian A. Seklecki
lavalamp at spiritual-machines.org
Tue Sep 5 16:04:17 PDT 2006
I'm PXE booting systems using the "dhcprelay" feature on a PIX 525 running
7.1(2). The TFTP process of retrieval of /tftoboot/pxeboot works fine,
however once loaded NFS mount requests to the server fail per the
following messages. In my config, all layer 4->7 packet "inspection"
features are turned off.
Any ideas why pxeboot would set the destination UDP port number to 0? It
should be UDP/111 and UDP/2049, but alas TCPdump on the server shows
nothing coming through.
My work-around right now is to recompile pxeboot w/o NFS support and use
TFTP file retrieval...which...sort of works.
TIA,
~BAS
--
Sep 05 2006 17:38:15: %PIX-4-500004: Invalid transport field for
protocol=UDP, from 192.168.129.130/1023 to 192.168.128.40/0
Sep 05 2006 17:38:19: %PIX-4-500004: Invalid transport field for
protocol=UDP, from 192.168.129.130/1023 to 192.168.128.40/0
According to Cisco:
%PIX-4-500004: Invalid transport field for protocol=protocol, from
src_addr/src_port to dest_addr/dest_port
Explanation This message appears when there is an invalid transport
number, in which the source or destination port number for a protocol is
zero. The protocol field is 6 for TCP and 17 for UDP.
---
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."
More information about the freebsd-questions
mailing list