Hi,
Background: We have an environment where we have MPLS + IPSEC on the bottom. On top of that we've built another network with SRX firewalls using IPSEC-tunnels (without encryption). So it's IPSEC inside IPSEC. For those reason's I've dropped the IPSEC MSS size to 1300 in the SRX firewalls and everything works. We have different SRX series firewalls, mostly 550 ones. We are running latest firmware (12.3X48-D55). We have DHCP-server and separate SCCM/WDS server located in one site from where we want to deploy workstation installation using PXE/TFTP.
1st attempt: We configured dhcp-relay using JDHCP meaning "routing-instances VR forwarding-options dhcp-relay" and clients received IP but we were unable to get workstation installations start. We tried all the options you can set under dhcp-relay but I think options 66/67 (PXE boot server IP/Bootfile name) were not delivered to client because no TFTP attempts were seen in the traffic logs.
2nd attempt: We switched to bootp meaning "forwarding-options helpers bootp" and with this configuration we managed to get the options 66/67 delivered to the client because after that we saw TFTP traffic between client and SCCM/WDS server. Although installation did not start no matter what we tried:
- Disabling TFTP ALG in the SRX's
- Changing different variables in the SCCM/WDS server affecting TFTP packet size, MTU etc.
We've tested that this configuration works locally in the site where the DHCP and SCCM/WDS servers are located so the problem is narrowed down to IPSEC between the sites.
All ideas and suggestions are welcome, thanks!