From owner-freebsd-questions@FreeBSD.ORG Tue Sep 5 23:04:17 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F342316A4DE for ; Tue, 5 Sep 2006 23:04:16 +0000 (UTC) (envelope-from lavalamp@spiritual-machines.org) Received: from mail.digitalfreaks.org (arbitor.digitalfreaks.org [216.151.95.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF2B943D45 for ; Tue, 5 Sep 2006 23:04:16 +0000 (GMT) (envelope-from lavalamp@spiritual-machines.org) Received: by mail.digitalfreaks.org (Postfix, from userid 1022) id 4984217D84; Tue, 5 Sep 2006 19:04:13 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mail.digitalfreaks.org (Postfix) with ESMTP id 48A6E17D83 for ; Tue, 5 Sep 2006 19:04:13 -0400 (EDT) Date: Tue, 5 Sep 2006 19:04:13 -0400 (EDT) From: "Brian A. Seklecki" X-X-Sender: lavalamp@arbitor.digitalfreaks.org To: freebsd-questions@freebsd.org Message-ID: <20060905185526.O88388@arbitor.digitalfreaks.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: pxeboot(8) NFS code breaks PIX/ASA policy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 23:04:17 -0000 I'm PXE booting systems using the "dhcprelay" feature on a PIX 525 running 7.1(2). The TFTP process of retrieval of /tftoboot/pxeboot works fine, however once loaded NFS mount requests to the server fail per the following messages. In my config, all layer 4->7 packet "inspection" features are turned off. Any ideas why pxeboot would set the destination UDP port number to 0? It should be UDP/111 and UDP/2049, but alas TCPdump on the server shows nothing coming through. My work-around right now is to recompile pxeboot w/o NFS support and use TFTP file retrieval...which...sort of works. TIA, ~BAS -- Sep 05 2006 17:38:15: %PIX-4-500004: Invalid transport field for protocol=UDP, from 192.168.129.130/1023 to 192.168.128.40/0 Sep 05 2006 17:38:19: %PIX-4-500004: Invalid transport field for protocol=UDP, from 192.168.129.130/1023 to 192.168.128.40/0 According to Cisco: %PIX-4-500004: Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_port Explanation This message appears when there is an invalid transport number, in which the source or destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP. --- l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "...from back in the heady days when "helpdesk" meant nothing, "diskquota" meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were."