Networks·41,468 discussions

DHCP bad_address every 12 seconds – Scope exhausted

Locked

We use Microsoft DHCP in our environment and this morning began to get flooded with bad_address leases. The server issued lease after lease every 12-13 seconds and they all showed bad_address in the name field of the lease table. The odd thing we noticed was that the Unique ID (MAC address) field was incomplete. Rather than 6 bytes of data, we were only seeing 4 bytes. Also noteworthy is that the last 2 bytes were the only constant:

f121670a
ed20670a
a1be670a

A new unique ID was generated every 12-13 seconds. We deleted the bad_address(es) in bulk every 5 minutes to prevent scope exhaustion. Before we were able to get a sniffer connected, the pattern stopped.

I remember hearing something about Macs running IPv6 not playing well with Microsoft DHCP.

Does anyone else have any other ideas?

Topic

Clarifications

In reply to DHCP bad_address every 12 seconds – Scope exhausted

Clarifications

event log?

In reply to DHCP bad_address every 12 seconds – Scope exhausted

that is a weird one. anything in the event log on the dhcp server?

event log?

In reply to DHCP bad_address every 12 seconds – Scope exhausted

there are a ton of articles about this at the mskb at support.microsoft.com. I searched All Products using bad_address

event log?

In reply to event log?

The event log shows nothing more than the usual info of cleanup and warnings of scopes nearing exhaustion.

The mskb articles point to removing the client from the network. The problem is, with an incomplete MAC address, we don’t know which client is the one. The problem is gone (for now) so the only thing I see to do now is sit in waiting with a sniffer and refresh my scope statistics every 15 minutes or so. When I see the problem present again, start a capture on all traffic to and from the DHCP server. From the capture, we should be able to find the 12-13 second pattern.

Any other thoughts?

Having same problem

In reply to DHCP bad_address every 12 seconds – Scope exhausted

Did you discover what was causing DHCP bad_address every 12 seconds – Scope exhausted? For some reason we started experiencing the same issue this morning. My Mac OSX 10.4.11 clients are getting a message that the address DHCP is issuing to them is already in use. The entry in DHCP shows bad address and an incomplete Unique ID which is not consistent. The conflicting MAC address is the same no matter what the IP address is. Even when manually configuring the address. I know it is the Mac’s (and all of them), the problem starts as soon as we put them on the network and renew the dhcp address.

Anything new on this?

In reply to DHCP bad_address every 12 seconds – Scope exhausted

Hi,

We are encountering the same problems… Is there already a way to find the resolution to this?

Macs running IPv6 ..More info here…

In reply to DHCP bad_address every 12 seconds – Scope exhausted

http://www.vintagemacworld.com/conshare.html
http://www.macwindows.com/leopard.html

Please post back if you have any more problems or questions.

My 2c

In reply to Macs running IPv6 ..More info here…

Hello all,

We have just experienced this problem for the second time. Everything as reported in previous posts but our experience is that when the scope is full we start to get ip address conflicts everywhere, even reserved server addresses. Truly a scary moment.

Having experienced it a few days ago I was ready this time with wireshark and identified the machine and promptly pulled it for investigation.

I’m not entirely sure what’s going on yet but the terms IPV6 and multihomed DHCP client can be mentioned.

The computer is a Vista Premium laptop with bridged LAN and wireless. IPV6 is installed. If the device is connected to the LAN via the wired port and the wireless is switched off, no problem. If the wireless is subsequently switched on, straight away I see Bad_address entries in DHCP as decribed previously.

Hope this helps someone.

How did you track the computer

In reply to My 2c

Hello,

I work in a company where we are seeing a lot of these “BAD_ADDRESS” entries in our DHCP log. I also think that it is caused by computers with bridged network adapters. I have done some tests myself to confirm this. I found out the the MAC adress on the brided adapter started with 02:, and tracking this on our core switches reveal a computer with briding enabled. I have not seen any entries untill today, and i cannot find any MAC starting with 02: – oh well, maybe this is not the pattern.

This is why i am very curious to how you tracked them down with Wireshark – what did you look for in the wireshark log? I am a bit of a novice to WireShark – maybe you could help me a little on the way.

Any help would be great appriciated.

P.S. I think we are going to disabled the Bridging feature via a GPO, but untill then, i would very much like to find the guilty pc.

unique ID is inverted ip address

In reply to DHCP bad_address every 12 seconds – Scope exhausted

We’ve had the same problem. Those unique IDs are not truncated MAC addresses, they’re inverted IP addresses in hex.

e.g. f121670a -> f1 21 67 0a (hex) -> 241 33 103 10 (decimal) -> 10.103.33.241 (ip address).

You probably have a 10.103 subnet which is why the last 2 bytes in each ID is the same.

As for what causes this, we still don’t know yet.

Apple Airport configuration is messing with your DHCP

In reply to DHCP bad_address every 12 seconds – Scope exhausted

Ancient thread but let me quickly tell you what solved the problem for me..
I had a very similar problem – DHCP working finde, suddenly clients cannot get an IP adress anymore.. Looking into the DHCP log shows an unknown MAC with the IP 10.xxx.xxx.xxx is trying to get this IP verified virtually every second – which overloads the DHCP.
Solution: Block the corresponding MAC Adresses (I did it via MAC filtering/deny access/ on my WLAN AP). Poof – there you go. Worked instantly.
The problem is likely an iPhone/iPad which has a strange configuration received by the Apple Airport.
Reason: The Airport will give it’s IP Adresses in the 10.xxx.xxx.xxx – Typical Mac behaviour though – shutting down a whole Windows Network by trying to get it’s own IP configuration veryfied..
Damn!

Windows 8 virtual machine causes this on my network

In reply to DHCP bad_address every 12 seconds – Scope exhausted

I realize this in a old thread but it fits exactly what issue i’m having as well. Just like the first poster mentioned my dhcp server scope is being flooded with requests. Every 10-12 seconds a new one labeled BAD_ADDRESS. The unique id is very similar. They all end with 02010a. In my case i know exactly what’s causing it I’m just not sure why.

I have a Windows 8 virtual machine running on my laptop. The virtual network adapter for that virtual machine (guest) is set to bridged mode. It continually tries to pull an IP address from my dhcp server but never actually gets internet nor lan access. Even with a static IP address my guest machine can’t access the network. The MAC address for the guest machine ends in 2e112f which isn’t anywhere close to what the dhcp server is reporting. If i switch my guest machine’s network adapter back to nat instead of bridged it works just fine.

-DHCP server in running on Windows 2008 R2.
-Host machine is running Windows 7 Pro
-Guest machine is Windows 8 Pro x64, ipv6 disabled
-Vmware Workstation 9
-Virtual Network configuration is set to auto bridge with my wireless and wired adapters selected.

If the host machine is accessing my network via wireless ap the problem presists. If I switch to a wired connection my Windows 8 guest machine works as expected. The strange thing about all of this is i have other virtual machines (Win7, Ubuntu 12, WinXP, Debian) that work fine via wireless and virtual bridge. Only the windows 8 guest seems to act up.

Maybe someone can shed some light on this. Its nice to know what other types of devices I need to look for that can cause BAD_ADDRESS on my dhcp server. Add virtual machine with a bridged network adapter over a wireless connection to that list.

[Author]

Replies