vSphere 5 Auto Deploy PXE booting through Cisco ASA firewall

In response to my blog post on “vSphere 5 – How to run ESXi stateless with vSphere Auto Deploy“, I received a comment from Rob Ellison, who ran into issues when PXE booting through a Cisco ASA firewall. In a second comment he explained how he solved the issue. Turned out there was an issue with the frame size of the gPXE client. Below is his solution to this issue. Should you have any questions on this specific issue, feel free to contact Rob. Thank you Rob for this solution.

Rob Ellison, Managed Hosting Technical Architect
Twitter: @robellison
Google Plus: Rob Ellison

My series on VMware vSphere 5 Auto Deploy:

vSphere 5 – How to run ESXi stateless with vSphere Auto Deploy
vSphere 5 Auto Deploy PXE booting through Cisco ASA firewall
Updating your ESXi host using VMware vSphere 5 Auto deploy
My first Auto Deploy design for real production environment

Confirm the ASA is dropping packets due to frame size:

show asp drop frame tcp-mss-exceeded
TCP data exceeded MSS (tcp-mss-exceeded)

Create a capture:

capture mss-capture type asp-drop tcp-mss-exceeded packet-length 1518

View the output after a failed boot:

show capture mss-capture
5 packets captured

1: 08:51:15.489278 802.1Q vlan#99 P0 10.x.x.x.6519 > <ip of auto-deploy>.6501: P 888399370:888400818(1448) ack 2273403046 win 8192 <nop,nop,timestamp 516952 120427860>
2: 08:51:15.963420 802.1Q vlan#99 P0 10.x.x.x.6519 > <ip of auto-deploy>.6501: P 888399370:888400818(1448) ack 2273403046 win 8192 <nop,nop,timestamp 516961 120427860>
3: 08:51:16.952099 802.1Q vlan#99 P0 10.x.x.x.6519 > <ip of auto-deploy>.6501: P 888399370:888400818(1448) ack 2273403046 win 8192 <nop,nop,timestamp 516979 120427860>
4: 08:51:18.930097 802.1Q vlan#99 P0 10.x.x.x.6519 > <ip of auto-deploy>.6501: P 888399370:888400818(1448) ack 2273403046 win 8192 <nop,nop,timestamp 517015 120427860>
5: 08:51:22.884140 802.1Q vlan#99 P0 10.x.x.x.6519 > <ip of auto-deploy>.6501: P 888399370:888400818(1448) ack 2273403046 win 8192 <nop,nop,timestamp 517087 120427860>
5 packets shown

To resolve:

access-list vmware-auto-deploy permit tcp any host <auto-deploy-host>
class-map vmware-auto-deploy
match access-list vmware-auto-deploy
exit
tcp-map mss-map
exceed-mss allow
exit
policy-map vmware-auto-deploy
class vmware-auto-deploy
set connection advanced-options mss-map
exit
exit
service-policy vmware-auto-deploy interface <esxi server interface>
My series on VMware vSphere 5 Auto Deploy:
vSphere 5 – How to run ESXi stateless with vSphere Auto Deploy
vSphere 5 Auto Deploy PXE booting through Cisco ASA firewall
Updating your ESXi host using VMware vSphere 5 Auto deploy

2 thoughts on “vSphere 5 Auto Deploy PXE booting through Cisco ASA firewall

Comments are closed.