WDS service crashes when F5 Global Traffic Manager "monitor" packets are being used

Applies to: Windows Server 2012 StandardWindows Server 2012 StandardWindows Server 2012 R2 Standard


The Windows Deployment Services (WDS) service intermittently crashes in an environment in which F5 Global Traffic Manager is being used.

Additionally, you may see text that resembles one of the following in a packet capture:
  • <source ip> <dest ip>UDP UDP:SrcPort = <srcport>, DstPort = 67 or 4011, Length = 27
  • <source ip> <dest ip> DHCP DHCP:UNHANDLED DHCP OpCode, 100(0x64)
You may see this text together with bytes that start with the following opcode field:
64 65 66 61 75 6C 74 20 73 65 6E 64 20 73 74 72 69 6E 67 (= "default send string")


F5 Global Traffic Manager defines various protocol "monitors" that send packets to target switches to test reliability. One such monitor is used for User Datagram Protocol (UDP) ports and includes raw bytes that contain the "default send string" string.

The WDS service listens for incoming Pre-boot Execution Environment (PXE) requests that contain Dynamic Host Configuration Protocol (DHCP) proxied data. A bug exists in which WDS does not check that these packets have well-formed DHCP header fields. WDS parses these UDP monitor packets and encounters the "default send string" string instead of the DHCP opcode field value. Therefore, WDS miscalculates the length of the packet. This causes an access violation in unallocated memory, and the service crashes.


To resolve this issue, configure the F5 Global Traffic Manager by using exceptions in such a way that these devicesdo not send UDP monitor packets to the following ports on the WDS server:
  • 67 (BOOTP)
  • 68 (BOOTP)
  • 4011 (ProxyDHCP)
For UDPv6:
  • 546, 547 (DHCPv6)