I had a segment a network recently into a few Vlans. This meant the new Vlan was on a different subnet to the WDS server so machines were not getting the PXE Traffic.

1. Make sure the WDS is routable from the Vlan ( Create a route enable firewall) 
2. Enable a second IP Helper Address with the WDS server. You might already have an IP Address if your DHCP server is on a different Subnet, but you can have multiple.

PXE does not come with a dedicated boot protocol. It is simply DHCP packets extended with additional DHCP options. It’s formerly known as the bootstrap protocol. If a PXE-enabled network card sends out an DHCP discover package, it will add DHCP option 60, which includes the string “PXEClient:Arch:xxxxx:UNDI:yyyzzz”. Then it waits for DHCP offers.

It will only respond if it gets a DHCP offer including option 60 which means: I am PXE capable and able to send out boot server and boot file information.

The DHCP offer can be splitted into two independent packages, coming from different servers. The DHCP server can send out the DHCP offer containing the clients IP address and the PXE server can send out the DHCP offer containing the option 60.

• No Comments

Recently I was trying to get a WDS server PXE Booting using Legacy and UEFI booting. I followed the DHCP guide here Legacy worked however UEFI was not working. I double checked on the WDS server for the 67 Option with a file share and in

\\%IPOFSERVER%\reminst\Boot\x64

wdsnbp.com existed but no wdsmgfw.efi

Running a rebuild of the boot files also did not fix this for some reason , in the end I copied the file from : 

\\%IPOFSERVER%\c$\Windows\System32\RemInst\boot\x64

and it resolved the issue

• No Comments

Users who could connect were no longer connecting to our Foritgate

If using VDOM use 

#conf Global

#diagnose sys top

Check for Free Memory Usage( Should not be over 80% ) 

Enable Debug for VPN

#dia debug en
#dia debug reset
#dia debug application sslvpn -1

Then Connect VPN , and check for logs for that user

Found : 

 “no more addresses” fortigate

#diagnose debug disable

#exec vpn sslvpn list

If using VDOM Use this before

#conf vdom

#edit Vdom Name 

Users where getting 4 Address in the SSL VPN Sessions instead of one which was filling up the DHCP List

#fnsysctl ps

find the PID of sslvpnd

#run diag sys kill 11 <pid>

VPN Service will restart Automatically.

If FortiClient fails as the following stages, the likely cause is as follows:

• 10% – Local Network/PC issue

• 40% – Application or the Fortigate causing the error, occasionally caused by the local machines/network setup

• 45% – MultiFactor Authentication

• 80% – Username/Password issue

• 98% – corruption of services/often resolved by reinstalling the client on the laptop.

Client Logging

You will want to:

1. Clear the logs if you have any there.
2. Set the Log Level to Debug to ensure the highest verbosity. (Make sure to disabled after troubleshooting)
3. Run the attempt, and then Export logs

• 1 Comment

Recently had a problem with a DHCP server no leasing out DHCP address randomly. Restarting the service would not fix this , the only thing that would bring it back would be a server restart.

The last entry in the log files would be a Renew. The DHCP database looked fine. There was a DHCP Memory leak in the event log.

The server assigned address for over 1500 Clients , however it was using the E1000 Adapter , once we changed this to VMXNET 3 it resolved the issue

• No Comments

Recently had a problem where DNS Entries for a server were disappearing in active directory. We set the records manually after multiple ipconfig /registerdns still would not hold the entry in active directory.

We removed the device from the domain and rejoined still to no avail (to check domain trust was not the problem)

In the end we had to set the DNS entry statically in some of the servers util we found out what was causing it to be removed.

Cause

‘Turns out the someone had configured the RAS server to assign DHCP address’ on the same range statically assigned where. This wouldn’t of caused an IP conflict due to clever RAS routing , however it would of caused the DNS issue we saw randomly ( whenever someone logged into RAS to assign themself an address! ) 

• No Comments