BAD_ADDRESS causing DHCP to fill up.

Jim 291

I have a File/Print/DHCP/DNS server 2012 with about 30-40 users. For some reason, every couple of months (last time was 6/5/20, not today), it fills the scope with BAD_ADDRESS entries. Subsequently VPN users start calling me. I have never found a definitive answer as to why this happens. Each time I look around, can find nothing about it and just delete the entries. A few may trickle back for a bit, but essentially it just goes away. In the image below you will not the "Unique ID", which for other entries is their MAC address, is different. It always looks like this.

Anyway, any help on how I can track this down would be helpful.

Networkgurus 1 Reputation point

2021-08-18T17:33:34.027+00:00

Did you ever get this figured out? I have the exact same problem with those some incomplete mac_addresses causing this exact same issue. It's also intermittent.
CT_IT_Guy 1 Reputation point

2021-08-27T18:42:21.8+00:00

We just went through this last month... we were in the middle of a workstations / thin clients refresh for a client and this started to happen after a blip in the power for the building that resetted all computers and network equipment except the main servers.

Typically this would happen if a lot of devices end up getting ip conflicted addresses.. the resolution is to clear out all bad_addresses and reboot your devices while watching the DHCP and clearing out the new ones.

Might need to keep an eye on it for a few days in case any old device didn't reboot and it has a "duplicate" ip address, but should be done within a week on a regular sized business. Or just schedule a reboot of devices every night for a week and watch your scope, making a scrip to clear out bad_addresses and make it run every 4 hours and should be good within a week (stop the script to verify).
Dave Webb 15 Reputation points

2023-04-05T12:46:54.6533333+00:00
I have seen this several times on different client networks, usually related to wifi devices.. Here is how I resolved it:

I checked the event logs for the DHCP server, specifically "Application and Service Logs"->"Microsoft"->"Windows"->"DHCP-Server"->"Microsoft-Windows-DHCP Server Events/Admin". After the pool ran out of space (which you could reduce the size of the pool to get this to come to this condition more quickly), it started recording the mac addresses of the units it was turning away. Take note of the most frequently seen mac address as it is likely your bogey.

I cleared out all of the Bad Address entries, and waited for them to start reappearing.

While I was waiting, I logged into the Layer-3 device (in our case a switch, but it could also be your firewall if you have a smaller network) that handled our wifi devices (VLAN).

When a few of the bad address entires started populating, I checked the ARP table in the Layer3 device to see what Mac address was associated with them. No surprise - it was the same MAC I came to suspect from the event logs.

I logged into our Wifi system (in our case Ubiquiti), and cross referenced the mac address against clients, which gave me the name of the offending laptop.

We took that person out back and had them executed. (Just kidding). We upgraded the Wifi NIC driver on that laptop and rebooted and the problem stopped.

The technical cause is that the Laptop/Wifi NIC was replying to every ping regardless of address, which caused the DHCP server to think the address was already in use, and flagged it as a "Bad Address". Dont bother with the Unique ID on those bad addresses, they are a HEX rendering of the IP address that was marked as bad and don't relate to the offending computer at all. Happy Hunting Dave W (Troy, Oh)
Saurav 0 Reputation points Microsoft Employee

2023-05-25T10:13:00.3833333+00:00

Hello Dave, can you share the event ID number at the DHCP server under "Microsoft-Windows-DHCP Server Events/Admin"?

14 answers

Falcon IT Services 226 Reputation points

2020-09-24T11:33:33.577+00:00

Those MAC addresses are incomplete so my guess is one of the layer 2 devices may be defective or have a flaw that is causing this. Have the office user restart the device one by one (Sonicwall, AP, router, etc.) to see if you can narrow it down to which device might be the culprit. Also try updating the firmware on all layer 2 devices.

Miguel Fra
www.falconitservices.com
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Jim 291 Reputation points

2020-09-24T12:09:47.633+00:00

Good advice, I'll give that a try.

But...

Why, if it is one of those devices, would it not happen all the time, not every few months? I was suspecting a device somebody is bringing in, albeit innocently, and connecting to the network.

Jim
Please sign in to rate this answer.
Falcon IT Services 226 Reputation points

2020-09-24T12:22:30.51+00:00

Sounds like a memory overrun programming bug in some firmware where part of the MAC address gets cut off. Restarting the device clears it up.
Sign in to comment
dubsdj 6 Reputation points

2020-10-26T20:47:51.937+00:00

Best way to find out what's causing this is to look at the DHCP logs. You will see lots of entries BAD_ADDRESS and then the name of the device causing it. We had a QNAP that had a firmware update which caused this situation.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Jim 291 Reputation points

2021-08-18T18:50:46.073+00:00

Sort of...

By reviewing the DHCP logs I found that the source of these were consistently one or both of two laptops. Now, my theory is that for some reason when they come into the office and fire the machine up it first connects to the Wi-Fi, then they put it in the docking station where it is hardwired. But the Wi-Fi stays on. Now each adapter, both of the Wi-Fi and hardwire should have its own Mac address so theoretically then both being connected should not cause a problem. But the bottom line is it was always one of those laptops. So I reduced the least time the 24 hours and once, very rarely, I'll see a couple of bad addresses. However it never fills up the DHCP address pool. Each of these two laptops will be out of service and replaced in the next year or so. That being said I didn't see any point in looking into it anymore.

That's the long way of saying take a look at the DHCP logs and see what you can figure out.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
OCTech 1 Reputation point

2021-10-08T22:45:01+00:00

So in case anyone is having this weird problem with inaccurate MACs that have that weird ascending order. To give an idea of what that incorrect MAC is simply take the first two digits in a HEX calculator and convert to decimal. E.g., first bad address the first two digits of the MAC address is 27. That converts to 39 in decimal. You will see that is the last number in the actual IP address. If you convert the rest of the numbers in the bad MAC address you will see it is simply the bad IP address backwards (in HEX).

Of course this does not explain what is happening but it lets us know it's not random so probably not some bad hardware device.

The good thing - I finally found the cause of this today. I found the computer that was causing the problem so I was able to troubleshoot why it was doing this today.

It was not a rogue device on the network. It was simply a laptop. The culprit turned out to be the Sonicwall Global VPN Client! A user could not get an IP address on the LAN but her WiFi luckily had a super slow connection so she complained. I let her know something was weird on the network so she couldn't get an IP address (after clearing BAD_ADDRESS') and she casually mentioned she was on the VPN last night. And that's when it hit me, could the Sonicwall Global VPN client be causing these weird MAC address issues? Sure enough her Sonicwall Global VPN Client was running still. And as SOON as I exited the Global VPN client she got an IP address. And the BAD_ADDRESS' finally stopped. I was troubleshooting for a while and those addresses kept appearing until GVC...
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

BAD_ADDRESS causing DHCP to fill up.

14 answers