Unrecognized IP Address pulling via DHCP

Hi everybody,

We are experiencing a strange situation on our network, where a random
client will occasionally pull an IP address of a different mask than we are
using. We have 2 DHCP servers arranged 80/20, serving out 10.10.1.x ip
addresses. A couple times a week, one workstation will pull a 192.168.13.x
ip via DHCP. A single Ipconfig release/renew would usually fix it, though
sometimes it would just pull the invalid IP again, in these cases, repeating
release/renew a few times would take care of it.

At first I thought there was a rogue DHCP server on the network, so I
started running DHCPLoc from the MS Support tools continuously on a port off
the same network switch on which the problems were occurring. I found that
even if a workstation was receiving that IP, no DHCP server was offering that
range on the network as a whole. I then ran DHCPLoc directly on the affected
machine. It would show our normal 2 DHCP servers, as well as one offering the
..13 address. However, no other machine but that one would show the 3rd DHCP
server.

I thought we had narrowed it down to Trend Micro's latest common firewall
driver, as the problem started about the time we installed their latest
version. But we've removed it from a couple computers, and they still
experience from problem.

Does anybody have any idea what might be going on? I'm pretty much stumped
at this point, and it's causing way to many problems to simple ignore.

-Jeremy

"Jeremy Harrington" <(E-Mail Removed)> wrote in
message news:113E8DE6-705D-464D-AF1E-(E-Mail Removed)...
> Hi everybody,
>
> We are experiencing a strange situation on our network, where a random
> client will occasionally pull an IP address of a different mask than we
> are
> using. We have 2 DHCP servers arranged 80/20, serving out 10.10.1.x ip
> addresses. A couple times a week, one workstation will pull a
> 192.168.13.x
> ip via DHCP. A single Ipconfig release/renew would usually fix it, though
> sometimes it would just pull the invalid IP again, in these cases,
> repeating

1. Wait till it does it again.

2. Run IPConfig /all
The IP# of the DHCP Server that is got the IP# from will be listed right
there.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

the dhcp server is running on that machine itself?? if you tracert to the
3rd dhcp server where does it go?

"Jeremy Harrington" <(E-Mail Removed)> wrote in
message news:113E8DE6-705D-464D-AF1E-(E-Mail Removed)...
> Hi everybody,
>
> We are experiencing a strange situation on our network, where a random
> client will occasionally pull an IP address of a different mask than we
> are
> using. We have 2 DHCP servers arranged 80/20, serving out 10.10.1.x ip
> addresses. A couple times a week, one workstation will pull a
> 192.168.13.x
> ip via DHCP. A single Ipconfig release/renew would usually fix it, though
> sometimes it would just pull the invalid IP again, in these cases,
> repeating
> release/renew a few times would take care of it.
>
> At first I thought there was a rogue DHCP server on the network, so I
> started running DHCPLoc from the MS Support tools continuously on a port
> off
> the same network switch on which the problems were occurring. I found that
> even if a workstation was receiving that IP, no DHCP server was offering
> that
> range on the network as a whole. I then ran DHCPLoc directly on the
> affected
> machine. It would show our normal 2 DHCP servers, as well as one offering
> the
> .13 address. However, no other machine but that one would show the 3rd
> DHCP
> server.
>
> I thought we had narrowed it down to Trend Micro's latest common firewall
> driver, as the problem started about the time we installed their latest
> version. But we've removed it from a couple computers, and they still
> experience from problem.
>
> Does anybody have any idea what might be going on? I'm pretty much stumped
> at this point, and it's causing way to many problems to simple ignore.
>
> -Jeremy

Phillip,

I've tried that, but what good does it do? The IP address serving that IP is
192.168.13.x. It's not pingable, RDP is off, as is telnet on that IP. So I
have an IP address, but no way to tell where it is.

Thanks,

Jeremy

"Phillip Windell" wrote:

>
> "Jeremy Harrington" <(E-Mail Removed)> wrote in
> message news:113E8DE6-705D-464D-AF1E-(E-Mail Removed)...
> > Hi everybody,
> >
> > We are experiencing a strange situation on our network, where a random
> > client will occasionally pull an IP address of a different mask than we
> > are
> > using. We have 2 DHCP servers arranged 80/20, serving out 10.10.1.x ip
> > addresses. A couple times a week, one workstation will pull a
> > 192.168.13.x
> > ip via DHCP. A single Ipconfig release/renew would usually fix it, though
> > sometimes it would just pull the invalid IP again, in these cases,
> > repeating
>
> 1. Wait till it does it again.
>
> 2. Run IPConfig /all
> The IP# of the DHCP Server that is got the IP# from will be listed right
> there.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

A couple of stupid ideas.

- Is this a laptop? Any chance it is seeing a wireless router
somewhere?
- Any relationship to transient staff? Someone with a laptop with a
DHCP server running on it. Or perhaps someone who is bringing in their
own wireless router to use when they're in the office?

As I said, unlikely ideas but you never know...

Marten


On Mon, 22 Sep 2008 10:58:17 -0700, Jeremy Harrington
<(E-Mail Removed)> wrote:

>Hi everybody,
>
>We are experiencing a strange situation on our network, where a random
>client will occasionally pull an IP address of a different mask than we are
>using. We have 2 DHCP servers arranged 80/20, serving out 10.10.1.x ip
>addresses. A couple times a week, one workstation will pull a 192.168.13.x
>ip via DHCP. A single Ipconfig release/renew would usually fix it, though
>sometimes it would just pull the invalid IP again, in these cases, repeating
>release/renew a few times would take care of it.
>
>At first I thought there was a rogue DHCP server on the network, so I
>started running DHCPLoc from the MS Support tools continuously on a port off
>the same network switch on which the problems were occurring. I found that
>even if a workstation was receiving that IP, no DHCP server was offering that
>range on the network as a whole. I then ran DHCPLoc directly on the affected
>machine. It would show our normal 2 DHCP servers, as well as one offering the
>.13 address. However, no other machine but that one would show the 3rd DHCP
>server.
>
>I thought we had narrowed it down to Trend Micro's latest common firewall
>driver, as the problem started about the time we installed their latest
>version. But we've removed it from a couple computers, and they still
>experience from problem.
>
>Does anybody have any idea what might be going on? I'm pretty much stumped
>at this point, and it's causing way to many problems to simple ignore.
>
>-Jeremy

Marten,

Thank you for your ideas, but no such luck. The workstations on which the
problems occur are desktop computers without a wireless card.

"Marten" wrote:

> A couple of stupid ideas.
>
> - Is this a laptop? Any chance it is seeing a wireless router
> somewhere?
> - Any relationship to transient staff? Someone with a laptop with a
> DHCP server running on it. Or perhaps someone who is bringing in their
> own wireless router to use when they're in the office?
>
> As I said, unlikely ideas but you never know...
>
> Marten
>
>
> On Mon, 22 Sep 2008 10:58:17 -0700, Jeremy Harrington
> <(E-Mail Removed)> wrote:
>
> >Hi everybody,
> >
> >We are experiencing a strange situation on our network, where a random
> >client will occasionally pull an IP address of a different mask than we are
> >using. We have 2 DHCP servers arranged 80/20, serving out 10.10.1.x ip
> >addresses. A couple times a week, one workstation will pull a 192.168.13.x
> >ip via DHCP. A single Ipconfig release/renew would usually fix it, though
> >sometimes it would just pull the invalid IP again, in these cases, repeating
> >release/renew a few times would take care of it.
> >
> >At first I thought there was a rogue DHCP server on the network, so I
> >started running DHCPLoc from the MS Support tools continuously on a port off
> >the same network switch on which the problems were occurring. I found that
> >even if a workstation was receiving that IP, no DHCP server was offering that
> >range on the network as a whole. I then ran DHCPLoc directly on the affected
> >machine. It would show our normal 2 DHCP servers, as well as one offering the
> >.13 address. However, no other machine but that one would show the 3rd DHCP
> >server.
> >
> >I thought we had narrowed it down to Trend Micro's latest common firewall
> >driver, as the problem started about the time we installed their latest
> >version. But we've removed it from a couple computers, and they still
> >experience from problem.
> >
> >Does anybody have any idea what might be going on? I'm pretty much stumped
> >at this point, and it's causing way to many problems to simple ignore.
> >
> >-Jeremy
>
>

"Jeremy Harrington" <(E-Mail Removed)> wrote in
message news:8BE18D06-3CC5-458B-A27B-(E-Mail Removed)...
> I've tried that, but what good does it do? The IP address serving that IP
> is
> 192.168.13.x. It's not pingable, RDP is off, as is telnet on that IP. So I
> have an IP address, but no way to tell where it is.

If no router (a "real" router, a LAN Router) is configured to relay DHCP
Queries to such a DHCP Server,...then the DHCP Server is on the "same wire".
That should narrow it down.

It could even be a multi-port Firewall. Most of then now-a-days having
multiple internal facing ports to create other subnets or DMZs,...one of
them could be misconfigured and could be plugged into the same "wire" as
everything else,...with the Firewall running a DHCP Service (which should
never be allowed to happen). That could explain the lack of Ping and Telnet
since many firewalls would natually be blocking those.

The machine cannot communicate with the DHCP Server without the MAC
address,...the MAC address can be tracked through the switch to find the
port on the switch the machine is plugged into. You should be able to find
the machine in normal ways,..but if you cannot then you will have to run a
sniffer (like Netmonitor) on the Client and track the DHCP Conversation down
to the MAC addrress.

There is no Voodoo. If it is getting an IP for a 192.168.13 subnet then the
DHCP Service providing it is *there*.....somewhere. You are the only one
who can find it,..there is no way we can find it. If it comes down to it
you will have to inventory your equipment room by room cable by cable until
everything is accounted for.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Dave,

Tracert to that IP goes to our main router on the first hop, then out into
our ISP.

Thanks,

Jeremy

"Dave" wrote:

> the dhcp server is running on that machine itself?? if you tracert to the
> 3rd dhcp server where does it go?
>
> "Jeremy Harrington" <(E-Mail Removed)> wrote in
> message news:113E8DE6-705D-464D-AF1E-(E-Mail Removed)...
> > Hi everybody,
> >
> > We are experiencing a strange situation on our network, where a random
> > client will occasionally pull an IP address of a different mask than we
> > are
> > using. We have 2 DHCP servers arranged 80/20, serving out 10.10.1.x ip
> > addresses. A couple times a week, one workstation will pull a
> > 192.168.13.x
> > ip via DHCP. A single Ipconfig release/renew would usually fix it, though
> > sometimes it would just pull the invalid IP again, in these cases,
> > repeating
> > release/renew a few times would take care of it.
> >
> > At first I thought there was a rogue DHCP server on the network, so I
> > started running DHCPLoc from the MS Support tools continuously on a port
> > off
> > the same network switch on which the problems were occurring. I found that
> > even if a workstation was receiving that IP, no DHCP server was offering
> > that
> > range on the network as a whole. I then ran DHCPLoc directly on the
> > affected
> > machine. It would show our normal 2 DHCP servers, as well as one offering
> > the
> > .13 address. However, no other machine but that one would show the 3rd
> > DHCP
> > server.
> >
> > I thought we had narrowed it down to Trend Micro's latest common firewall
> > driver, as the problem started about the time we installed their latest
> > version. But we've removed it from a couple computers, and they still
> > experience from problem.
> >
> > Does anybody have any idea what might be going on? I'm pretty much stumped
> > at this point, and it's causing way to many problems to simple ignore.
> >
> > -Jeremy
>
>
>

if it actually gets to the server 'out there' then you should check your
router... it should not be forwarding dhcp requests in /out in most cases,
otherwise on the chance that your internal dhcp is slow responding your
isp's response could get back first and assign the odd ip.

"Jeremy Harrington" <(E-Mail Removed)> wrote in
message news:3C9469CB-3576-460C-9004-(E-Mail Removed)...
> Dave,
>
> Tracert to that IP goes to our main router on the first hop, then out into
> our ISP.
>
> Thanks,
>
> Jeremy
>
> "Dave" wrote:
>
>> the dhcp server is running on that machine itself?? if you tracert to
>> the
>> 3rd dhcp server where does it go?
>>
>> "Jeremy Harrington" <(E-Mail Removed)> wrote in
>> message news:113E8DE6-705D-464D-AF1E-(E-Mail Removed)...
>> > Hi everybody,
>> >
>> > We are experiencing a strange situation on our network, where a random
>> > client will occasionally pull an IP address of a different mask than we
>> > are
>> > using. We have 2 DHCP servers arranged 80/20, serving out 10.10.1.x ip
>> > addresses. A couple times a week, one workstation will pull a
>> > 192.168.13.x
>> > ip via DHCP. A single Ipconfig release/renew would usually fix it,
>> > though
>> > sometimes it would just pull the invalid IP again, in these cases,
>> > repeating
>> > release/renew a few times would take care of it.
>> >
>> > At first I thought there was a rogue DHCP server on the network, so I
>> > started running DHCPLoc from the MS Support tools continuously on a
>> > port
>> > off
>> > the same network switch on which the problems were occurring. I found
>> > that
>> > even if a workstation was receiving that IP, no DHCP server was
>> > offering
>> > that
>> > range on the network as a whole. I then ran DHCPLoc directly on the
>> > affected
>> > machine. It would show our normal 2 DHCP servers, as well as one
>> > offering
>> > the
>> > .13 address. However, no other machine but that one would show the 3rd
>> > DHCP
>> > server.
>> >
>> > I thought we had narrowed it down to Trend Micro's latest common
>> > firewall
>> > driver, as the problem started about the time we installed their latest
>> > version. But we've removed it from a couple computers, and they still
>> > experience from problem.
>> >
>> > Does anybody have any idea what might be going on? I'm pretty much
>> > stumped
>> > at this point, and it's causing way to many problems to simple ignore.
>> >
>> > -Jeremy
>>
>>
>>

"Jeremy Harrington" <(E-Mail Removed)> wrote in
message news:3C9469CB-3576-460C-9004-(E-Mail Removed)...
> Tracert to that IP goes to our main router on the first hop, then out into
> our ISP.

That is only because it is not considered to be "part of your LAN" and so it
follow the Default Routing Path for the LAN which takes it to the ISP. The
first router of the ISP will just simply drop it because it is an RFC
Private Address.

So that is normal behavor. I think this can rule out the firewall theory I
mentioned in the last post because if the Firewall was misconfigured with an
address from that range on one of its DMZ ports it would not have passed it
out to the ISP.

Remember DHCP queries are brodcasted,...so they "go everywhere the wire
goes" until they hit a firewall or LAN router. So if anything running a
DHCP service on the "same wire" can potentially respond even if it is not
correctly addressed for the IP Segment being used.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------