DHCP server "BAD_ADDRESS" problem.

[manowar]

Hi all,

We have 4 VLANs at work, each VLAN is split into 10.48.96.x, 97.X, 98.x, 99.x ranges.

The network was recently rebuilt. We completely moved away from static IPs (which we used in abundance) and now all clients on the schools network obtain IPs via the DHCP.

We've noticed a lot of entries mingling in between client addresses on the DHCP server displaying as "BAD_ADDRESS" (address already in use). I've managed to trace these address back to random PCs on the domain.

So far, I've tried:

1. Looking for rouge DHCP servers on the LAN.
2. Leasing address for 2 hours, 8 hours, 10 hours even unlimited.
3. Deleting all DHCP addresses from the DHCP server at the end of the day, to clean up conflicts.

None of the solutions have sorted the problem. Could it be possible that some clients on the network are still using static IPs and are causing conflicts with the DHCP server?

Any help would be great. Cheers all.

 

[S0ULphIRE]

It's very possible there are still clients using static addresses, also double check you haven't accidentally got any static maps in your DHCP pool.

An easy way to troubleshoot this problem would be to run wireshark on a PC connected to the same subnet as the DHCP server. Filter only for the "BAD_ADDRESS" packets. When you see one, check which IP the server was trying to assign the client, then try and ping it. If you can, check your lease list and check if the address has been given out by your DHCP server already. If it hasn't then someone must be using a static IP somewhere.

 

[manowar]

It's very possible there are still clients using static addresses, also double check you haven't accidentally got any static maps in your DHCP pool.

An easy way to troubleshoot this problem would be to run wireshark on a PC connected to the same subnet as the DHCP server. Filter only for the "BAD_ADDRESS" packets. When you see one, check which IP the server was trying to assign the client, then try and ping it. If you can, check your lease list and check if the address has been given out by your DHCP server already. If it hasn't then someone must be using a static IP somewhere.

Thanks, S0ULphIRE. I'll try using Wireshark today.

We have reservations setup in DHCP. How would we check for static maps in the DHCP pool?

 

[S0ULphIRE]

On your DHCP server, if you've setup any static maps (i.e certain IPs are set to always get assigned to certain workstations) then you need to make sure those addresses aren't in your DHCP pool.

For example, lets say your DHCP pool is 10.0.0.1 to 10.0.0.50
If you made a static map for one workstation to always be assigned 10.0.0.30 you'd have a problem. If you made it 10.0.0.51, you wouldn't have a problem.

So just check any static maps you've created, and make sure that the IP address you've chosen isn't also available in your regular DHCP pool.

Sorry if my explanations are a little hard to follow

 

[manowar]

Thanks for the swift response mate.

On our network. Our DHCP scope is 10.48.96.40-250. We have some random reservations in that scope ranging from 10.48.96.60, 61, 70, 90 etc...these are for devices such as printers. Because those reservations fall within the scope, could this be the problem?

 

[S0ULphIRE]

Yep, that's your problem. I'd suggest making a new subnet for the printers, e.g. 10.48.100.0/24

again, easy way to verify this. Wireshark, capture DHCP traffic, look at the address the server is trying to offer when you see BAD_ADDRESS. If it's one of the IPs you've reserved for your printers then you know what to do.

 

[manowar]

Hi mate, sorry for belated response. Unfortunately, making a new subnet just for printers etc isn't an option. I'm going to try something at work tomorrow. One of our buildings uses a 10.48.101.x range, starting from 101.1 - 101.250. I'm going to reduce the scope to 101.10 - 101.250 and use the first 9 static IP addresses for printers and wireless access points in that particular building (I think there is six APs and 2 printers). I'm then going to see whether I get any bad addresses in DHCP.

One more question. I'm not very familiar with Wireshark. Can you give me a quick idea of how I'd filter for "bad_address?"

Thanks mate, really appreciate your help.

 

[S0ULphIRE]

Just filter for DHCP traffic, in the 'filter' box type 'bootp' and start capturing. You should see only stuff like this:

 

[manowar]

Thanks Soulphire. Once again, sincere apologies for the belated reply. In the end, I went round each physical building and put all our printers, WAPs and other devices on static IPs. I've monitored the DHCP server for a few days since re-configuring the IP addresses and surprise, surprise, the bad addresses have vanished on some subnets, and drastically lowered on others. I can only assume that there are still some machines on our network that have invalid static IPs...I'll hopefully be able to track them down using Wireshark next week and vanquish them!

 

[S0ULphIRE]

Sounds good glad you got this sorted.
Since you've obviously got managed switches, it should be easy to track down the rouge static IPs like this:
1. Monitor wireshark for those bad DHCP addresses.
2. When you find one, get the mac address of the PC that's using it (arp will do it)
3. Check your switch tables for that mac address.