BAD_ADDRESS causing DHCP to fill up.

Jim 271

I have a File/Print/DHCP/DNS server 2012 with about 30-40 users. For some reason, every couple of months (last time was 6/5/20, not today), it fills the scope with BAD_ADDRESS entries. Subsequently VPN users start calling me. I have never found a definitive answer as to why this happens. Each time I look around, can find nothing about it and just delete the entries. A few may trickle back for a bit, but essentially it just goes away. In the image below you will not the "Unique ID", which for other entries is their MAC address, is different. It always looks like this.

Anyway, any help on how I can track this down would be helpful.

Networkgurus 1 Reputation point

2021-08-18T17:33:34.027+00:00

Did you ever get this figured out? I have the exact same problem with those some incomplete mac_addresses causing this exact same issue. It's also intermittent.
CT_IT_Guy 1 Reputation point

2021-08-27T18:42:21.8+00:00

We just went through this last month... we were in the middle of a workstations / thin clients refresh for a client and this started to happen after a blip in the power for the building that resetted all computers and network equipment except the main servers.

Typically this would happen if a lot of devices end up getting ip conflicted addresses.. the resolution is to clear out all bad_addresses and reboot your devices while watching the DHCP and clearing out the new ones.

Might need to keep an eye on it for a few days in case any old device didn't reboot and it has a "duplicate" ip address, but should be done within a week on a regular sized business. Or just schedule a reboot of devices every night for a week and watch your scope, making a scrip to clear out bad_addresses and make it run every 4 hours and should be good within a week (stop the script to verify).
Dave Webb 15 Reputation points

2023-04-05T12:46:54.6533333+00:00
I have seen this several times on different client networks, usually related to wifi devices.. Here is how I resolved it:

I checked the event logs for the DHCP server, specifically "Application and Service Logs"->"Microsoft"->"Windows"->"DHCP-Server"->"Microsoft-Windows-DHCP Server Events/Admin". After the pool ran out of space (which you could reduce the size of the pool to get this to come to this condition more quickly), it started recording the mac addresses of the units it was turning away. Take note of the most frequently seen mac address as it is likely your bogey.

I cleared out all of the Bad Address entries, and waited for them to start reappearing.

While I was waiting, I logged into the Layer-3 device (in our case a switch, but it could also be your firewall if you have a smaller network) that handled our wifi devices (VLAN).

When a few of the bad address entires started populating, I checked the ARP table in the Layer3 device to see what Mac address was associated with them. No surprise - it was the same MAC I came to suspect from the event logs.

I logged into our Wifi system (in our case Ubiquiti), and cross referenced the mac address against clients, which gave me the name of the offending laptop.

We took that person out back and had them executed. (Just kidding). We upgraded the Wifi NIC driver on that laptop and rebooted and the problem stopped.

The technical cause is that the Laptop/Wifi NIC was replying to every ping regardless of address, which caused the DHCP server to think the address was already in use, and flagged it as a "Bad Address". Dont bother with the Unique ID on those bad addresses, they are a HEX rendering of the IP address that was marked as bad and don't relate to the offending computer at all. Happy Hunting Dave W (Troy, Oh)
Saurav 0 Reputation points Microsoft Employee

2023-05-25T10:13:00.3833333+00:00

Hello Dave, can you share the event ID number at the DHCP server under "Microsoft-Windows-DHCP Server Events/Admin"?

14 answers

Gloria Gu 3,891 Reputation points

2020-09-24T05:50:09.223+00:00

Hi,

Thank you for posting in Q&A!

BAD_address are created when an IP conflict is detected, please check the following information:
Firstly Common Sense Check: If this has just happened what have you changed? Have you added any Wireless Controllers, or Access Points? Have you deployed any new Switches or Firewalls.

1.Make sure you have only one DHCP in the network and the DHCP server is not running on a multihomed computer.
2.During the troubleshooting process, disable the DHCP fail-over and make the scope available on one Server only to isolate the perception of DHCP Fail-over or multiple DHCP Servers issue.
3.Check the router settings.
4.Use some tools such as Wireshark to ****capture Live Network Data and analyze the process of Ip address** distribution**. The following is a case similar like your situation. It is successfully solved by Wireshark, please refer to:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/bab06be8-a6e0-4392-84f0-c89bf8030804/dhcp-bad-ip-address-scope-filling-fast-and-detecting-as-conflict?forum=winserveripamdhcpdns

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Falcon IT Services 226 Reputation points

2020-09-24T12:14:20.407+00:00

Yeah, I have seen people bring in Wireless routers/AP's and connect them to the LAN as hot spots. If that was the case, the MAC address would be complete and Windows DHCP service would detect a DHCP conflict and stop. Also, if it was someone using spoofing software the fake MAC address would still be complete.

Since you are using Windows DHCP, you may want to enable MAC address filtering and only allow addresses from an ALLOW list, that should take care of the issue, but not the mystery behind it.

Another thing you might try is creating a DHCP exclusion pool for VPN users and having Sonicwall serve up address for the VPN users. The incomplete address may be the Sonicwall relaying off the Windows DHCP server.

Miguel Fra
www.falconitservices.com
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Tyler Melton 6 Reputation points

2022-08-16T13:26:20.893+00:00

This was caused in our environment by a VPN connection being enabled within the network. It would ask for an IP, DHCP would give it one and the would refuse the IP and ask for another until the IP address pool was all taken up.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Falcon IT Services 226 Reputation points

2020-09-23T14:21:36.04+00:00

Hello Jim,

Have you checked that the VPN DHCP pool of addresses do not overlap with the LAN DHCP pool? Also, make sure there is only one DHCP server on the network segment.

The above error is usually a result of the DHCP pinging the IP before leasing it and getting a response.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Jim 271 Reputation points

2020-09-24T11:14:45.423+00:00

Thanks.

I'm running a SonicWALL firewall and it is set to assign the IP address of an incoming client from the same server mentioned above. It is not running DHCP. There is one other serve on the network (Backup DC) with DHCP Server not running. I have one Wireless AP, no DHCP running

The thing is that this happens VERY intermittently, and all at once. For example, the last time before this time it was back in early June. Also, make note of the "unique ID", that is not a Mac address like the others, and they are all similar. This last time there were only maybe 5 people in the office (COVID) and it started up ~09:30, when those people were coming in. I'm remote. My in-office contact told me that he restarted the Comcast router when a couple of people were having connection issues. He is not technical and that is his go-to response. The issue did seem to go away after that.

My point being, all these variables are constant, why is the problem intermittent and rare?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment