BAD_ADDRESS causing DHCP to fill up.

Jim 291

I have a File/Print/DHCP/DNS server 2012 with about 30-40 users. For some reason, every couple of months (last time was 6/5/20, not today), it fills the scope with BAD_ADDRESS entries. Subsequently VPN users start calling me. I have never found a definitive answer as to why this happens. Each time I look around, can find nothing about it and just delete the entries. A few may trickle back for a bit, but essentially it just goes away. In the image below you will not the "Unique ID", which for other entries is their MAC address, is different. It always looks like this.

Anyway, any help on how I can track this down would be helpful.

Networkgurus 1 Reputation point

2021-08-18T17:33:34.027+00:00

Did you ever get this figured out? I have the exact same problem with those some incomplete mac_addresses causing this exact same issue. It's also intermittent.
CT_IT_Guy 1 Reputation point

2021-08-27T18:42:21.8+00:00

We just went through this last month... we were in the middle of a workstations / thin clients refresh for a client and this started to happen after a blip in the power for the building that resetted all computers and network equipment except the main servers.

Typically this would happen if a lot of devices end up getting ip conflicted addresses.. the resolution is to clear out all bad_addresses and reboot your devices while watching the DHCP and clearing out the new ones.

Might need to keep an eye on it for a few days in case any old device didn't reboot and it has a "duplicate" ip address, but should be done within a week on a regular sized business. Or just schedule a reboot of devices every night for a week and watch your scope, making a scrip to clear out bad_addresses and make it run every 4 hours and should be good within a week (stop the script to verify).
Dave Webb 15 Reputation points

2023-04-05T12:46:54.6533333+00:00
I have seen this several times on different client networks, usually related to wifi devices.. Here is how I resolved it:

I checked the event logs for the DHCP server, specifically "Application and Service Logs"->"Microsoft"->"Windows"->"DHCP-Server"->"Microsoft-Windows-DHCP Server Events/Admin". After the pool ran out of space (which you could reduce the size of the pool to get this to come to this condition more quickly), it started recording the mac addresses of the units it was turning away. Take note of the most frequently seen mac address as it is likely your bogey.

I cleared out all of the Bad Address entries, and waited for them to start reappearing.

While I was waiting, I logged into the Layer-3 device (in our case a switch, but it could also be your firewall if you have a smaller network) that handled our wifi devices (VLAN).

When a few of the bad address entires started populating, I checked the ARP table in the Layer3 device to see what Mac address was associated with them. No surprise - it was the same MAC I came to suspect from the event logs.

I logged into our Wifi system (in our case Ubiquiti), and cross referenced the mac address against clients, which gave me the name of the offending laptop.

We took that person out back and had them executed. (Just kidding). We upgraded the Wifi NIC driver on that laptop and rebooted and the problem stopped.

The technical cause is that the Laptop/Wifi NIC was replying to every ping regardless of address, which caused the DHCP server to think the address was already in use, and flagged it as a "Bad Address". Dont bother with the Unique ID on those bad addresses, they are a HEX rendering of the IP address that was marked as bad and don't relate to the offending computer at all. Happy Hunting Dave W (Troy, Oh)
Saurav 0 Reputation points Microsoft Employee

2023-05-25T10:13:00.3833333+00:00

Hello Dave, can you share the event ID number at the DHCP server under "Microsoft-Windows-DHCP Server Events/Admin"?

14 answers

WaxMike 1 Reputation point

2021-11-29T13:30:40.98+00:00

Did you ever find a permanent solution for the Sonicwall issue?
We have been experiencing the same thing for a long time and I'm wondering now if it's our GVC. Whenever I run Wireshark the DHCP requests come from different users.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Networkgurus 1 Reputation point

2021-11-29T22:00:36.24+00:00

Well not really, I have migrated DHCP from a 2012R2 server to a 2016 server and have not experienced the issue but I can't say that is a fix. I initially wanted to find a way to exclude or filter DHCP requests with invalid MAC's (our problem always had MAC's that were too short) but could not find a way to do that. I don't know if 2016 handles those invalid MAC addresses better and purposely excludes them but that would be a perfect fix.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Gcha 1 Reputation point

2022-03-12T00:45:25.183+00:00

Could this be caused by docking a laptop with lan and wifi connected and windows 10 mobile hotspot turned on
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Matt Sotherden 0 Reputation points

2023-01-31T16:22:43.11+00:00

I've had this issue since covid hit and a lot of people were working from home via VPN. I also have a Sonicwall that is pulling DHCP addresses from a Windows DHCP server. The issue is users work from home, then put their machine to sleep without shutting down the Global VPN software, therefore keeping the same (VPN DHCP) IP address. Then they come into work, hard wire via docks and that causes the BAD_ADDRESS. The way to figure it out is by running Wireshark on the DHCP server, filter on bootp.option.type == 53 and search for DHCP Decline. Look for MAC address on DHCP Decline, then look for DHCP Request (same MAC address). Under DHCP Request look under Dynamic Host Configuration Protocol (Request) - Option: (12) Host Name - Host Name, that will give the name of the offending computer. Usually DHCP Request will be right above the DHCP Decline, so it is pretty easy to figure out.

I have also talked to Sonicwall in regards to the Global VPN software to find a way to timeout/shutdown, but there isn't any...yet. This would be one of the reasons why BAD_ADDRESS comes up
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

BAD_ADDRESS causing DHCP to fill up.

14 answers