XorpiZ Posted June 24, 2015 Share Posted June 24, 2015 Hello! I noticed earlier today, that we had some slowdowns on our LAN. After starting up Wireshark it was immediately obvious that the culprit was likely the DHCP server. I've let Wireshark run for a short while now and filtered on "bootp.option.type == 53". Out of 45490 packets, 18971 of them has to do with DHCP. Example: 44156 1153.062246000 192.168.22.171 255.255.255.255 DHCP 342 DHCP Inform - Transaction ID 0xdedaa015 That one packet has been repeated almost 400 times in under a second. I'm not quite sure why it does so. Any pointers on what to look for? The DHCP server has been restarted and is running on Server 2008. There's nothing logged in the Event Viewer on the server Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/ Share on other sites More sharing options...
+BudMan MVC Posted June 24, 2015 MVC Share Posted June 24, 2015 so that is your dhcp server at 192.168.22.171 -- that is ODD ip address for a server.. Seems more like that would be a client asking for an dhcp inform.. Ie information from your dhcp server.. Does your server answer back? Answers to Inform packets don't go to broadcast.. They get asked by from a client via broadcast. Server would give the inform back via dhcpack.. So you need to figure out what your client asking for - proxy maybe? Open the packet in wireshark and it will show you what its asking for. My bet is browser asking for proxy.. So for example I turned on automatic detect setting in IE and bang dhcp inform goes out.. Looking for proxy is in the list.. Then my server answers with dhcpack direct to its IP.. If those informs are coming from 1 IP then something wrong with box, if your seeing lots and lots of them from all your IPs then need to figure out what they are asking for and answer it or tell them not to ask.. Example you can disable windows from asking for a proxy if you are not using one, etc.. Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596899782 Share on other sites More sharing options...
offroadaaron Posted June 24, 2015 Share Posted June 24, 2015 ^^ DHCP server doesn't just spew out boardcasts. Are you sure you don't have a network loop or something? Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596899798 Share on other sites More sharing options...
XorpiZ Posted June 24, 2015 Author Share Posted June 24, 2015 On 24/06/2015 at 11:30, BudMan said: so that is your dhcp server at 192.168.22.171 -- that is ODD ip address for a server.. Seems more like that would be a client asking for an dhcp inform.. Ie information from your dhcp server.. Does your server answer back? Answers to Inform packets don't go to broadcast.. They get asked by from a client via broadcast. Server would give the inform back via dhcpack.. No, 22.171 is a client asking for an address from our DHCP. See this picture. Lots of DHCP Informs from clients - they are preceded by a large amount of DHCP Requests from the same client and DHCP Acks from the server On 24/06/2015 at 11:49, offroadaaron said: ^^ DHCP server doesn't just spew out boardcasts. Are you sure you don't have a network loop or something? Couldn't say for sure - haven't been out checking yet. Usually the network crawls to a halt in case of a loop. I guess I could try disabling the Proxy Search via GPO, but the issue has just started today. Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596899800 Share on other sites More sharing options...
+BudMan MVC Posted June 24, 2015 MVC Share Posted June 24, 2015 Well you need to figure out what its asking for that is not getting answered to why it keeps asking. Or maybe it is getting answered and client is not likely it accepting it so keeps asking again, etc. Either way you got something wrong on the clients if going to ask multiple times a second for something. That client is asking more than 20 times a second there for something Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596899832 Share on other sites More sharing options...
XorpiZ Posted June 24, 2015 Author Share Posted June 24, 2015 On 24/06/2015 at 12:26, BudMan said: Well you need to figure out what its asking for that is not getting answered to why it keeps asking. Or maybe it is getting answered and client is not likely it accepting it so keeps asking again, etc. Either way you got something wrong on the clients if going to ask multiple times a second for something. That client is asking more than 20 times a second there for something True - something must be wrong.. somewhere. I tried disabling the DHCP service. Only result was that the ACK packets stopped... Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596899878 Share on other sites More sharing options...
XorpiZ Posted June 24, 2015 Author Share Posted June 24, 2015 The really odd part is, that the clients are requesting a new DHCP address, even though none of the leases are close to expering (the nearest one is a few days from now) :< Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596899884 Share on other sites More sharing options...
XorpiZ Posted June 24, 2015 Author Share Posted June 24, 2015 Update - So far I've identified 7 different cliens causing mayhem on our network. All of them are connected via Wi-Fi. Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596899894 Share on other sites More sharing options...
+BudMan MVC Posted June 24, 2015 MVC Share Posted June 24, 2015 So an inform is not a request for a new ip.. That is a request for information. Are you also seeing dhcprequest which is what should be sent on a renew of the lease. So its only some of your wireless clients, not all of them? Can you just reconnect them to the wifi network and see if that stops the noise? I wouldn't suggest you turn off your dhcp server, or you going to run into a bigger problem when leases expire.. Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596899946 Share on other sites More sharing options...
XorpiZ Posted June 24, 2015 Author Share Posted June 24, 2015 On 24/06/2015 at 14:15, BudMan said: So an inform is not a request for a new ip.. That is a request for information. Are you also seeing dhcprequest which is what should be sent on a renew of the lease. So its only some of your wireless clients, not all of them? Can you just reconnect them to the wifi network and see if that stops the noise? I wouldn't suggest you turn off your dhcp server, or you going to run into a bigger problem when leases expire.. The leases aren't expiring for a few days, so no worries there. It was only disabled for 10 minutes to see if the DHCP-spam stopped, which it didn't. There are also multiple requests preceding the informs, but not to the same extent. I've scheduled a reboot our of wireless controller- hopefully that'll solve the issues we're having. If not, I'll try reconnecting the clients. Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596900348 Share on other sites More sharing options...
+BudMan MVC Posted June 24, 2015 MVC Share Posted June 24, 2015 I would try reconnecting a client first.. Not sure how the controller would have anything to do with client spamming. Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596900356 Share on other sites More sharing options...
XorpiZ Posted June 24, 2015 Author Share Posted June 24, 2015 On 24/06/2015 at 20:20, BudMan said: I would try reconnecting a client first.. Not sure how the controller would have anything to do with client spamming. The odds of (at least) 7 clients failing simultaneously seems high, since it has never been an issue til now. Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596900374 Share on other sites More sharing options...
+BudMan MVC Posted June 24, 2015 MVC Share Posted June 24, 2015 Who said anything about failing.. Did you update any software? Patches to the OS, update the cards? Are all your clients all the same? How does the controller tell the client to send a dhcpinform packet?? Multiple times a second?? How could that happen? How could the AP itself cause that? I don't even see how an issue with the connection could do it.. I told you to reconnect it to wifi more to release and renew the ip and reset the network connection, etc. Please post up a conversation of anything coming from a client and being answered to it from the dhcp server for dhcp requests, dhcpacks from the server, etc. Did you turn off auto discover on the clients? Did you close down all the software running? To try and figure out why its sending so many packets.. Even if didn't get an answer - it sure and the hell shold not be sending multiple dhcpinforms a second Check this out - again pointing to no proxy and client wanting to find a proxy http://brielle.sosdg.org/archives/522-Windows-7-flooding-DHCP-server-with-DHCPINFORM-messages.html I believe you can completely disable wpad HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Create 32bit dword WpadOverride and set value to 1 and reboot. Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596900384 Share on other sites More sharing options...
XorpiZ Posted June 25, 2015 Author Share Posted June 25, 2015 After rebooting the controller the amount of DHCP packets have dropped from ~40% to 0,3%. Whether it was the access points or the controller itself, that caused the issue... well.. How and what exactly happened is unknown, but it's not unheard of that network equipment fails and causes all sorts of weird stuff to happen. Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596900838 Share on other sites More sharing options...
+BudMan MVC Posted June 25, 2015 MVC Share Posted June 25, 2015 So all the AP went down when the controller rebooted? And this caused users to reconnect? I can reboot my controller, or turn it off and has nothing to do with wireless access. Are you running cisco with tunnel back to the controller? Link to comment https://www.neowin.net/forum/topic/1261230-dhcp-ack-packets-spamming-the-network/#findComment-596900984 Share on other sites More sharing options...
Recommended Posts