Odd Network Trouble, What Could Be The Problem?

[goatsniffer]

I have a client with a small network.

 

Their DHCP is handled by their SBS 2011 server, their are two Belkin wireless devices set up as access points, and there is one tp-link un-managed switch. Other than that there is a Linksys firewall device (gateway) between their network and a cable modem.

 

The issue is that occasionally two specific workstations will drop off the network and I will find their IP addresses to be on the 192.168.99.x range, instead of the 192.168.100.x range. When I look at the network connection on the affected workstations, instead of seeing their domain name in the connection I see 'innotech.com'. This makes no sense to me since no one knows of any other hardware in the building. When the computer get's it's lease from the 192.168.99.x range, it cannot access the resources on their network and I can connect to a gateway on '192.168.99.1' over http and I receive a login prompt, which none of their documented passwords work with.

 

What should I do? How can I find out what device is giving these workstations DHCP leases on the 192.168.99.x range.

[Roger H. Veteran]

Seems the Linksys device is providing a DHCP service or some other "rouge" device smuggled on the network is causing it. Some people bring their wireless routers from home and plug them into network jacks in their office which causes headaches as a result because they don't configure the DHCP service to off!

 

Also don't use the 100.x range as cable modems use that to connect to their web interface.

[MorganX]

I have a client with a small network.

 

Their DHCP is handled by their SBS 2011 server, their are two Belkin wireless devices set up as access points, and there is one tp-link un-managed switch. Other than that there is a Linksys firewall device (gateway) between their network and a cable modem.

 

The issue is that occasionally two specific workstations will drop off the network and I will find their IP addresses to be on the 192.168.99.x range, instead of the 192.168.100.x range. When I look at the network connection on the affected workstations, instead of seeing their domain name in the connection I see 'innotech.com'. This makes no sense to me since no one knows of any other hardware in the building. When the computer get's it's lease from the 192.168.99.x range, it cannot access the resources on their network and I can connect to a gateway on '192.168.99.1' over http and I receive a login prompt, which none of their documented passwords work with.

 

What should I do? How can I find out what device is giving these workstations DHCP leases on the 192.168.99.x range.

 

Just off the top of my head do an ipconfig /all and get the DHCP server IP. If it's wireless, forget the network. Recommend static IPs.

[farmeunit]

As SHoTTa35 mentioned, it sounds like a rogue.  Is it a SMART switch, or completely un-managed?

 

Have you tried removing them from the domain, then re-adding them?

 

Have you switched ports those machines are on, or maybe the NIC settings?

[goatsniffer]

'ipconfig /all' on the DHCP server turns up no other interfaces with the offending IP range.

 

I'm not sure why the Linksys device would cause 'innotech.com' to show up in the network properties when the affected machine get's the IP from 192.168.99.1. So I do not think it could be that, especially since the linksys device is the known gateway for the network and it's IP is 192.168.100.1.

 

Not worried about the cable modem being a source of the issue, since it's not a consumer product, and it's in front of the gateway device.

 

The switch is completely un-managed.

 

I don't know what to do other than to do a physical sweep of the office looking for undocumented devices.

[+BudMan MVC]

"'ipconfig /all' on the DHCP server turns up no other interfaces with the offending IP range."

Im not sure what that is suppose to mean? He was asking you if this was a wireless or wired connection. If wireless they could just be connecting to a different wireless network than yours. If its on their wired interface then yeah you have something connected to your network running dhcp.

if wireless, just setup your wireless clients not to connect to that network. Since you mention 2 AP on your own network, I am thinking maybe its just wireless.

But if wired, what is the mac address? You can then look this up and see what type of device it is..

You say you can access a webgui on it.. at 192.168.99.1 when from these devices - so look in their arp table "arp -a" and get the mac

http://www.coffer.com/mac_find/

http://www.macvendorlookup.com/

That might help you spot it.

If not I would suggest you get yourself a smart switch that can list what ports a mac is listed on..

example

C:\Windows\system32>arp -a

Interface: 192.168.1.100 --- 0xb

Internet Address Physical Address Type

192.168.1.7 00-0c-29-dd-02-ba dynamic

192.168.1.8 00-0c-29-57-41-d5 dynamic

192.168.1.25 00-13-b6-02-6c-09 dynamic

192.168.1.40 2c-76-8a-ad-f6-56 dynamic

192.168.1.50 00-15-99-21-1c-a0 dynamic

192.168.1.97 00-1c-c3-09-05-7a dynamic

192.168.1.220 7f-bf-a9-aa-29-5b dynamic

192.168.1.253 00-50-56-00-00-02 dynamic

192.168.1.255 ff-ff-ff-ff-ff-ff static

224.0.0.251 01-00-5e-00-00-fb static

255.255.255.255 ff-ff-ff-ff-ff-ff static

So for example I look at this one

192.168.1.40 2c-76-8a-ad-f6-56

So if I look 2c-76-8a up I get

http://www.coffer.com/mac_find/?string=2c-76-8a

Tells me its an HP.. while that makes sense since its my HP Microserver. Now you see from the switch listing its mac table that its connected to port 4.. So I could trace out the wire to what is connected port 4 and find it.

So you will notice more than 1 mac on a specific port.. Those are downstream switches that are connected to those ports. So your smart switch lists all the mac that are on the that downstream switch. This would tell you at list what switch your connected too if you have more than 1.

But sounds like you only have 1 switch, so you could replace it. Or when a box gets that wrong address.. Run a constant ping on the IP of the dhcp server IP that hands it out, and then from your switch start pulling every other wire 1 at a time (other than the workstation that has the wrong ip) and find out what wire your device is connected too.

But a smart switch would be less intrusive method ;) You can can get a smart switch for really cheap these days. What size switch and speed do you have currently?

You sure you doublechecked your AP?? Those seem like likely candidates for having their dhcp servers turned back on.

[goatsniffer]

Here is the deal, as I have resolved the issue.

 

I went to the office and did some sleuthing, I found their VOIP phone system box in a closet. It was labeled 'innomedia' not innotech (sorry, was quoting from memory). Aside from having it's own modem, it had a 'LAN' connection that ran into the ceiling. I traced it to the drop by the network switches and unplugged it. All DHCP resolution issues have been resolved, there has been no impact on the phone system.

 

It must have gotten plugged in at some point, so I wrapped it up away from the switch to avoid any further confusion.

[+BudMan MVC]

Good news! But having a smart switch would of allowed you to figure out which port it was without having to walk around the building and trace a wire.

Might be something to look into for making your network better.. They are not very costly, give you lots of troubleshooting tools, ability to vlan in the future, rate control of connections quite likely.

Not saying you need a full managed switch like a 2k$ cisco - but a $200 smart makes a lot of sense in a small office vs just a simple dumb switch you would run in your house with a few connections.

[goatsniffer]

Can a mod mark this solved?

[+BudMan MVC]

just pick a post that best answers the issue and it will show up answered