DHCP ACK packets spamming the network


Recommended Posts

Hello!

 

I noticed earlier today, that we had some slowdowns on our LAN. After starting up Wireshark it was immediately obvious that the culprit was likely the DHCP server.

 

I've let Wireshark run for a short while now and filtered on "bootp.option.type == 53". Out of 45490 packets, 18971 of them has to do with DHCP.

 

Example:

 

44156    1153.062246000    192.168.22.171    255.255.255.255    DHCP    342    DHCP Inform   - Transaction ID 0xdedaa015

 

That one packet has been repeated almost 400 times in under a second.

 

I'm not quite sure why it does so.

 

Any pointers on what to look for? The DHCP server has been restarted and is running on Server 2008. There's nothing logged in the Event Viewer on the server

Link to comment
Share on other sites

so that is your dhcp server at 192.168.22.171 -- that is ODD ip address for a server.. Seems more like that would be a client asking for an dhcp inform.. Ie information from your dhcp server.. Does your server answer back?  Answers to Inform packets don't go to broadcast.. They get asked by from a client via broadcast.

 

Server would give the inform back via dhcpack..

 

So you need to figure out what your client asking for - proxy maybe?  Open the packet in wireshark and it will show you what its asking for.  My bet is browser asking for proxy..

 

So for example I turned on automatic detect setting in IE and bang dhcp inform goes out.. Looking for proxy is in the list..  Then my server answers with dhcpack direct to its IP.. 

 

post-14624-0-09723000-1435145999.png

 

If those informs are coming from 1 IP then something wrong with box, if your seeing lots and lots of them from all your IPs then need to figure out what they are asking for and answer it or tell them not to ask..  Example you can disable windows from asking for a proxy if you are not using one, etc..

Link to comment
Share on other sites

so that is your dhcp server at 192.168.22.171 -- that is ODD ip address for a server.. Seems more like that would be a client asking for an dhcp inform.. Ie information from your dhcp server.. Does your server answer back?  Answers to Inform packets don't go to broadcast.. They get asked by from a client via broadcast.

 

Server would give the inform back via dhcpack..

 

 

No, 22.171 is a client asking for an address from our DHCP.

 

See this picture. Lots of DHCP Informs from clients - they are preceded by a large amount of DHCP Requests from the same client and DHCP Acks from the server

 

KT9EEFy.png

^^ DHCP server doesn't just spew out boardcasts.

 

Are you sure you don't have a network loop or something?

 

Couldn't say for sure - haven't been out checking yet. Usually the network crawls to a halt in case of a loop. I guess I could try disabling the Proxy Search via GPO, but the issue has just started today.

Link to comment
Share on other sites

Well you need to figure out what its asking for that is not getting answered to why it keeps asking.  Or maybe it is getting answered and client is not likely it accepting it so keeps asking again, etc.

 

Either way you got something wrong on the clients if going to ask multiple times a second for something.  That client is asking more than 20 times a second there for something ;)

Link to comment
Share on other sites

Well you need to figure out what its asking for that is not getting answered to why it keeps asking.  Or maybe it is getting answered and client is not likely it accepting it so keeps asking again, etc.

 

Either way you got something wrong on the clients if going to ask multiple times a second for something.  That client is asking more than 20 times a second there for something ;)

 

True - something must be wrong.. somewhere. I tried disabling the DHCP service. Only result was that the ACK packets stopped... :)

Link to comment
Share on other sites

The really odd part is, that the clients are requesting a new DHCP address, even though none of the leases are close to expering (the nearest one is a few days from now) :<

Link to comment
Share on other sites

So an inform is not a request for a new ip..  That is a request for information.  Are you also seeing dhcprequest which is what should be sent on a renew of the lease.

 

So its only some of your wireless clients, not all of them?  Can you just reconnect them to the wifi network and see if that stops the noise?

 

I wouldn't suggest you turn off your dhcp server, or you going to run into a bigger problem when leases expire..

Link to comment
Share on other sites

So an inform is not a request for a new ip..  That is a request for information.  Are you also seeing dhcprequest which is what should be sent on a renew of the lease.

 

So its only some of your wireless clients, not all of them?  Can you just reconnect them to the wifi network and see if that stops the noise?

 

I wouldn't suggest you turn off your dhcp server, or you going to run into a bigger problem when leases expire..

 

The leases aren't expiring for a few days, so no worries there. It was only disabled for 10 minutes to see if the DHCP-spam stopped, which it didn't.

 

There are also multiple requests preceding the informs, but not to the same extent. I've scheduled a reboot our of wireless controller- hopefully that'll solve the issues we're having. If not, I'll try reconnecting the clients.

Link to comment
Share on other sites

I would try reconnecting a client first.. Not sure how the controller would have anything to do with client spamming.

Link to comment
Share on other sites

I would try reconnecting a client first.. Not sure how the controller would have anything to do with client spamming.

 

The odds of (at least) 7 clients failing simultaneously seems high, since it has never been an issue til now.

Link to comment
Share on other sites

Who said anything about failing.. Did you update any software?  Patches to the OS, update the cards?  Are all your clients all the same?

 

How does the controller tell the client to send a dhcpinform packet?? Multiple times a second??  How could that happen?  How could the AP itself cause that?  I don't even see how an issue with the connection could do it..  I told you to reconnect it to wifi more to release and renew the ip and reset the network connection, etc.

 

Please post up a conversation of anything coming from a client and being answered to it from the dhcp server for dhcp requests, dhcpacks from the server, etc.

 

Did you turn off auto discover on the clients?  Did you close down all the software running?  To try and figure out why its sending so many packets..  Even if didn't get an answer - it sure and the hell shold not be sending multiple dhcpinforms a second

 

Check this out - again pointing to no proxy and client wanting to find a proxy

http://brielle.sosdg.org/archives/522-Windows-7-flooding-DHCP-server-with-DHCPINFORM-messages.html

 

I believe you can completely disable wpad

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad

 

Create 32bit dword WpadOverride and set value to 1 and reboot.

Link to comment
Share on other sites

After rebooting the controller the amount of DHCP packets have dropped from ~40% to 0,3%. Whether it was the access points or the controller itself, that caused the issue... well..

 

How and what exactly happened is unknown, but it's not unheard of that network equipment fails and causes all sorts of weird stuff to happen.

Link to comment
Share on other sites

So all the AP went down when the controller rebooted?  And this caused users to reconnect?  I can reboot my controller, or turn it off and has nothing to do with wireless access.  Are you running cisco with tunnel back to the controller?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.