question

Jim-5513 avatar image
0 Votes"
Jim-5513 asked Networkgurus-3458 answered

BAD_ADDRESS causing DHCP to fill up.

I have a File/Print/DHCP/DNS server 2012 with about 30-40 users. For some reason, every couple of months (last time was 6/5/20, not today), it fills the scope with BAD_ADDRESS entries. Subsequently VPN users start calling me. I have never found a definitive answer as to why this happens. Each time I look around, can find nothing about it and just delete the entries. A few may trickle back for a bit, but essentially it just goes away. In the image below you will not the "Unique ID", which for other entries is their MAC address, is different. It always looks like this.

Anyway, any help on how I can track this down would be helpful.

27241-image.png


windows-dhcp-dns
image.png (413.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you ever get this figured out? I have the exact same problem with those some incomplete mac_addresses causing this exact same issue. It's also intermittent.

0 Votes 0 ·
CTNetworkDude avatar image CTNetworkDude Networkgurus-3458 ·

We just went through this last month... we were in the middle of a workstations / thin clients refresh for a client and this started to happen after a blip in the power for the building that resetted all computers and network equipment except the main servers.

Typically this would happen if a lot of devices end up getting ip conflicted addresses.. the resolution is to clear out all bad_addresses and reboot your devices while watching the DHCP and clearing out the new ones.

Might need to keep an eye on it for a few days in case any old device didn't reboot and it has a "duplicate" ip address, but should be done within a week on a regular sized business. Or just schedule a reboot of devices every night for a week and watch your scope, making a scrip to clear out bad_addresses and make it run every 4 hours and should be good within a week (stop the script to verify).

0 Votes 0 ·
MiguelFra avatar image
0 Votes"
MiguelFra answered

Hello Jim,

Have you checked that the VPN DHCP pool of addresses do not overlap with the LAN DHCP pool? Also, make sure there is only one DHCP server on the network segment.

The above error is usually a result of the DHCP pinging the IP before leasing it and getting a response.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GloriaGu-MSFT avatar image
0 Votes"
GloriaGu-MSFT answered

Hi,

Thank you for posting in Q&A!

BAD_address are created when an IP conflict is detected, please check the following information:
Firstly Common Sense Check: If this has just happened what have you changed? Have you added any Wireless Controllers, or Access Points? Have you deployed any new Switches or Firewalls.

1.Make sure you have only one DHCP in the network and the DHCP server is not running on a multihomed computer.
2.During the troubleshooting process, disable the DHCP fail-over and make the scope available on one Server only to isolate the perception of DHCP Fail-over or multiple DHCP Servers issue.
3.Check the router settings.
4.Use some tools such as Wireshark to capture Live Network Data and analyze the process of Ip address distribution. The following is a case similar like your situation. It is successfully solved by Wireshark, please refer to:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/bab06be8-a6e0-4392-84f0-c89bf8030804/dhcp-bad-ip-address-scope-filling-fast-and-detecting-as-conflict?forum=winserveripamdhcpdns

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jim-5513 avatar image
0 Votes"
Jim-5513 answered Jim-5513 published

Thanks.

I'm running a SonicWALL firewall and it is set to assign the IP address of an incoming client from the same server mentioned above. It is not running DHCP. There is one other serve on the network (Backup DC) with DHCP Server not running. I have one Wireless AP, no DHCP running

The thing is that this happens VERY intermittently, and all at once. For example, the last time before this time it was back in early June. Also, make note of the "unique ID", that is not a Mac address like the others, and they are all similar. This last time there were only maybe 5 people in the office (COVID) and it started up ~09:30, when those people were coming in. I'm remote. My in-office contact told me that he restarted the Comcast router when a couple of people were having connection issues. He is not technical and that is his go-to response. The issue did seem to go away after that.

My point being, all these variables are constant, why is the problem intermittent and rare?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MiguelFra avatar image
0 Votes"
MiguelFra answered MiguelFra edited

Those MAC addresses are incomplete so my guess is one of the layer 2 devices may be defective or have a flaw that is causing this. Have the office user restart the device one by one (Sonicwall, AP, router, etc.) to see if you can narrow it down to which device might be the culprit. Also try updating the firmware on all layer 2 devices.

Miguel Fra
www.falconitservices.com

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jim-5513 avatar image
0 Votes"
Jim-5513 answered MiguelFra commented

Good advice, I'll give that a try.

But...

Why, if it is one of those devices, would it not happen all the time, not every few months? I was suspecting a device somebody is bringing in, albeit innocently, and connecting to the network.

Jim

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sounds like a memory overrun programming bug in some firmware where part of the MAC address gets cut off. Restarting the device clears it up.

0 Votes 0 ·
MiguelFra avatar image
1 Vote"
MiguelFra answered MiguelFra edited

Yeah, I have seen people bring in Wireless routers/AP's and connect them to the LAN as hot spots. If that was the case, the MAC address would be complete and Windows DHCP service would detect a DHCP conflict and stop. Also, if it was someone using spoofing software the fake MAC address would still be complete.

Since you are using Windows DHCP, you may want to enable MAC address filtering and only allow addresses from an ALLOW list, that should take care of the issue, but not the mystery behind it.

Another thing you might try is creating a DHCP exclusion pool for VPN users and having Sonicwall serve up address for the VPN users. The incomplete address may be the Sonicwall relaying off the Windows DHCP server.

Miguel Fra
www.falconitservices.com

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dubsdj-1606 avatar image
0 Votes"
dubsdj-1606 answered dubsdj-1606 published

Best way to find out what's causing this is to look at the DHCP logs. You will see lots of entries BAD_ADDRESS and then the name of the device causing it. We had a QNAP that had a firmware update which caused this situation.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jim-5513 avatar image
0 Votes"
Jim-5513 answered

Sort of...

By reviewing the DHCP logs I found that the source of these were consistently one or both of two laptops. Now, my theory is that for some reason when they come into the office and fire the machine up it first connects to the Wi-Fi, then they put it in the docking station where it is hardwired. But the Wi-Fi stays on. Now each adapter, both of the Wi-Fi and hardwire should have its own Mac address so theoretically then both being connected should not cause a problem. But the bottom line is it was always one of those laptops. So I reduced the least time the 24 hours and once, very rarely, I'll see a couple of bad addresses. However it never fills up the DHCP address pool. Each of these two laptops will be out of service and replaced in the next year or so. That being said I didn't see any point in looking into it anymore.

That's the long way of saying take a look at the DHCP logs and see what you can figure out.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OCTech-1057 avatar image
0 Votes"
OCTech-1057 answered OCTech-1057 published

So in case anyone is having this weird problem with inaccurate MACs that have that weird ascending order. To give an idea of what that incorrect MAC is simply take the first two digits in a HEX calculator and convert to decimal. E.g., first bad address the first two digits of the MAC address is 27. That converts to 39 in decimal. You will see that is the last number in the actual IP address. If you convert the rest of the numbers in the bad MAC address you will see it is simply the bad IP address backwards (in HEX).

Of course this does not explain what is happening but it lets us know it's not random so probably not some bad hardware device.

The good thing - I finally found the cause of this today. I found the computer that was causing the problem so I was able to troubleshoot why it was doing this today.

It was not a rogue device on the network. It was simply a laptop. The culprit turned out to be the Sonicwall Global VPN Client! A user could not get an IP address on the LAN but her WiFi luckily had a super slow connection so she complained. I let her know something was weird on the network so she couldn't get an IP address (after clearing BAD_ADDRESS') and she casually mentioned she was on the VPN last night. And that's when it hit me, could the Sonicwall Global VPN client be causing these weird MAC address issues? Sure enough her Sonicwall Global VPN Client was running still. And as SOON as I exited the Global VPN client she got an IP address. And the BAD_ADDRESS' finally stopped. I was troubleshooting for a while and those addresses kept appearing until GVC...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WaxMike-3196 avatar image
0 Votes"
WaxMike-3196 answered WaxMike-3196 published

Did you ever find a permanent solution for the Sonicwall issue?
We have been experiencing the same thing for a long time and I'm wondering now if it's our GVC. Whenever I run Wireshark the DHCP requests come from different users.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.