DHCP - Bad Address, IP already taken

duncaster · 2014-08-07T08:50:41.000Z

I have some major issues on my network, mostly hardware related, but a infrastructure overhaul is being planned. In the mean time, DHCP (2012 server) is filling up every day with “Bad Address, Ip already taken”. I have to manually go in and delete them every day or the network crashes. The only thing I notice that is strange about the the “Bad Address” is that the that “Unique ID” or “MAC” address that shows up in DHCP is 8 characters long, not 12.

My whole network is going to be redesigned in a month, along with my IP scheme, but in the meantime, it would be nice to figure out what’s going on so I don’t have to remove these IP’s manually every morning and sometimes in the afternoon.

dgalvinuk · 2014-08-07T08:58:46.000Z

Hi,

Have you scanned your DHCP range to see if anything is actually holding the IP (s)?

Are these V4 or V6 addresses?

duncaster · 2014-08-07T09:05:24.000Z

I’ve tried webbing into them, pinging to get host name, browsing to it through \192.168.xxx.xxx with no results that tell me anything. Scanning in Spiceworks doesn’t do much, if I use a tool like Angry IP scanner, same thing. Some of the IP are known devices, like a printer or something, but then some of the IP are nothing, no ping, no response at all. Very strange.

brianwhelton · 2014-08-07T09:17:20.000Z

What are your leases set to, scan your ranges, check you scope, anything not given out, go search and shout at the people using the machines.

pbp · 2014-08-07T09:21:08.000Z

As the above infers, use short leases. Try 1hr-4hr. As the network is to be redone in a month, its a reasonable compromise.

Random guess is it might be mobile devices or VMs.

davidmitchell3 · 2014-08-07T09:27:13.000Z

Support Guy:

I’ve tried webbing into them, pinging to get host name, browsing to it through \192.168.xxx.xxx with no results that tell me anything. Scanning in Spiceworks doesn’t do much, if I use a tool like Angry IP scanner, same thing. Some of the IP are known devices, like a printer or something, but then some of the IP are nothing, no ping, no response at all. Very strange.

You might find there is a firewall turned on blocking ICMP/HTTP and/or most common ports are closed. Try running a port scanner against the IP to see which ports are available. Then you might be able to determine what device is sitting on the IP.

Advanced Port Scanner is a pretty handy utility.

britv8 · 2014-08-07T09:52:59.000Z

I googled :

bad address 8 characters long

Here are a couple of responses off the experts exchange forum

It almost always is another device handing out IP’s.
Universities are plagued with students plugging in their own routers and connecting incorrectly, resulting in a new DHCP server which often responds faster than the windows server.

You can move the DHCP service to another server quite easily and clients will easily find it due to the way the DHCP protocol works: PC sends a broadcast discover packet, all DHCP servers receive and send an offer, clients sends back a request, server responds with an IP.

However if possible it is better to use a different IP range so that it doesn’t overlap with exiting assigned IP’s. In theory the DHCP server will check if the IP is already in use by sending a ping, which i

It turns out that the culprit was a consultant machine running Vista, but not IPv6, per se. Instead, they were running Dell HomeNet Manager, which one review describes as “spoofing your network’s DHCP server and then responding to a new client’s IP request with an address that is technically valid but on a isolated subnet that has no access to the subnet in use. In the event an unauthorized client is configured with a static IP, HomeNet Manager switches tactics and responds to ARP requests for the address in question, which triggers an apparent IP address conflict and invalidates the address.” I’m not sure whether this exactly describes what was going on, but when we disabled the HomeNet manager, the problem went away.

aaronrombaut · 2014-08-07T09:57:37.000Z

Check the lease time on your server. If you have a flat network and people have their mobile devices coming and going on your network, that may cause an issue as well. How many devices do you need? You wrote 192.168.x.x which is assumed a /16 which accounts for over 65,000 IP addresses! For a temporary fix, I would trim your DHCP scope down to a much smaller range. If you can’t trim now, at least add DHCP exceptions for the printers or other devices you know the address on. Hopefully you can implement VLANs when you do your new IP scheme.

The other question to ask is that if you are truly using a /16 subnet, do you have VPNs running anywhere? If you have a remote site connected through a site-to-site VPN, you may be handing addresses out to someone else.

You can also do a wireless survey and see if you find any unauthorized wireless routers that may be acting as a DHCP server as well.

On your server, check your ARP cache and see if you do truly have duplicate IP addresses. Check the MAC address against a know MAC database and that may help you track down the culprit. Maybe there are more static IPs assigned that you thought.

Hope something works for you soon so that you do not have to keep doing that every morning. Looking forward to

timfrench · 2014-08-07T11:48:14.000Z

Going off what britv8 mentioned, you can use a program like RogueChecker to see what devices are trying to hand out IP addresses on your network. We had an issue a while back where (after a power outage, I assume), one of our W/L access points reset its config with DHCP enabled.

learn.microsoft.com

Archived MSDN and TechNet Blogs

nerdusmaximus2 · 2014-10-30T16:27:40.000Z

For us, the issue of a flood of BAD_ADDRESS leases exhausting a DHCP scope was traced to a Multi-Homed Network Switch with a VLAN Interface configured to fetch DHCP.

Setting the interface to No IP resolved the issue.