1

One of my DHCP scopes is filling up with Bad Addresses. I ran a packet capture with WireShark and there are no rogues DHCP servers in that scope, all IP’s are being handed out by the DHCP server. I’m working with a Windows 2012 R2 server that’s running AD,DHCP and DNS. I’ve cut the lease time on the scope to 20 minutes to help release and renew IPs, but I’m trying to resolve the BAD_ADDRESS issue, not work around it. Does anyone have any ideas? I’ve been all over the Help Boards on line, but none of them provided a solution to my issue.

1 Spice up
2

Did the packet capture contain one of the requests that resulted in bad address?
If not try to catch one, then you can see what is wrong with the request.

3

When I ran the packet capture it did capture several of the bad addresses, but there was nothing different from the regular DORA’s (Discover, Offer, Request, Acknowledge,) that I was seeing. Everything pointed to our DHCP server IP. There were no rogue DHCP Servers.

4

You are not seeing Decline in the DORA? in the capture?

c683d18b-a663-4f23-a61e-fbcc983f823b-unnamed.png
c683d18b-a663-4f23-a61e-fbcc983f823b-unnamed.png800×241 189 KB

I would first suspect someone set a static in the DHCP range somewhere, OR there are latent DHCP addresses out there with VERY long lease times simply not renewing yet. Do the bad addresses change, and can you ping them?

Changing the lease time on the server does not have any effect on the client until it renews.

5

BAD_ADDRESS usually indicates an address conflict, its likely attempting ICMP or ARP Resolution, ensuring that address is not in use, before committing to offering that address to something genuinely going through the DORA process.

6

But it usually results in a decline as well.
Proxy arp somewhere can cause this too, if you have capable devices such as wireless bridges, switches etc, I would check for the presence of proxy arp. Google specifically proxy arp and DHCP decline