This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: DHCP Snooping False Positives
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
DHCP Snooping False Positives
DHCP Snooping False Positives
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Dec 20 2012 11:51AM
Hello All!
I’ve been using DHCP Snooping on my corporate network and its working as I would expect, apart from a few oddities. Which I would like to point out to you guys and hopefully find people seeing similar.
The main focus is an issue we've been experiencing with Windows 7 clients sending DHCP Offer packets instead of acknowledgement/request packets. This causes DHCP snooping to kick into life and to either disable the port or drop the packet, which is what we have it set too after the issues we are seeing. This then causes a log message informing us that an untrusted source has sent a DHCP offer of 0.0.0.0, which we then get alerted on via our syslog server.
When this happens it can also take the client PC longer to obtain an IP address. The symptoms/circumstances that can cause this to happen have been tested extensively and we’ve confirmed they are consistent. However, that’s not to say it will always trigger the offer packet from the client. It is seemingly random. Generally speaking, when a laptop is moved from a private network, or another subnet within our corporate network, there’s a chance it will send a DHCP offer packet. Please see example below. Entry one, two, four and five are from the DHCP Servers. The third entry is from the client machine, sending an offer packet itself instead of a request/acknowledgement.
58476 12:56:58 16/11/2012 XXX.XXX.XXX.XXX DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58477 12:56:58 16/11/2012 XXX.XXX.XXX.XXX DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58494 12:56:58 16/11/2012 0.0.0.0 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58498 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58507 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
Previously we had set the port to block on detection of rogue DHCP Services, however, with the more wide spread rollout of Windows 7 we changed this to just drop the packet. However the frequency and volume of syslog alerts has increased as you would expect.
Basically, I’ve submitted my findings to Microsoft and they have confirmed it’s a bug in Windows 7 that was introduced with a hotfix pre-SP1. In order for them to be willing to fix it and to release a hotfix to fix the hotfix, they need to gauge the impact on businesses running Windows 7 with DHCP Snooping enabled on their network.
Please can people respond to this thread if they’ve seen some similar behaviour, even if they haven’t been able to explain it please? I’m hoping there are more people out there who have been using DHCP snooping with Windows 7 client s
I would like people to respond to this thread please, especially the people using Windows 7 and DHCP snooping and have seen this issue. Even if it hasn’t occurred to you that Windows 7 might have been the issue, any DHCP Snooping false positives would be handy to know about.
Googling around, there have been some instances reported with people running a competitors switch setup (not sure if I can mention their name here! ) and they’re seeing the same issue with DHCP Snooping enabled and Windows 7 being used. So I’m pretty certain it’s in no way an issue with Extreme’s implementation. Take this thread as an example:
http://www.pronetworks.org/forums/win...
Shows someone also noticing/experiencing the issue, so I’m hoping there are more people here.
Many thanks for takign the time to read all of it if you got this far! 🙂
(from Shaun_Kent)
Hello All!
I’ve been using DHCP Snooping on my corporate network and its working as I would expect, apart from a few oddities. Which I would like to point out to you guys and hopefully find people seeing similar.
The main focus is an issue we've been experiencing with Windows 7 clients sending DHCP Offer packets instead of acknowledgement/request packets. This causes DHCP snooping to kick into life and to either disable the port or drop the packet, which is what we have it set too after the issues we are seeing. This then causes a log message informing us that an untrusted source has sent a DHCP offer of 0.0.0.0, which we then get alerted on via our syslog server.
When this happens it can also take the client PC longer to obtain an IP address. The symptoms/circumstances that can cause this to happen have been tested extensively and we’ve confirmed they are consistent. However, that’s not to say it will always trigger the offer packet from the client. It is seemingly random. Generally speaking, when a laptop is moved from a private network, or another subnet within our corporate network, there’s a chance it will send a DHCP offer packet. Please see example below. Entry one, two, four and five are from the DHCP Servers. The third entry is from the client machine, sending an offer packet itself instead of a request/acknowledgement.
58476 12:56:58 16/11/2012 XXX.XXX.XXX.XXX
58477 12:56:58 16/11/2012 XXX.XXX.XXX.XXX
58494 12:56:58 16/11/2012 0.0.0.0 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58498 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58507 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
Previously we had set the port to block on detection of rogue DHCP Services, however, with the more wide spread rollout of Windows 7 we changed this to just drop the packet. However the frequency and volume of syslog alerts has increased as you would expect.
Basically, I’ve submitted my findings to Microsoft and they have confirmed it’s a bug in Windows 7 that was introduced with a hotfix pre-SP1. In order for them to be willing to fix it and to release a hotfix to fix the hotfix, they need to gauge the impact on businesses running Windows 7 with DHCP Snooping enabled on their network.
Please can people respond to this thread if they’ve seen some similar behaviour, even if they haven’t been able to explain it please? I’m hoping there are more people out there who have been using DHCP snooping with Windows 7 client s
I would like people to respond to this thread please, especially the people using Windows 7 and DHCP snooping and have seen this issue. Even if it hasn’t occurred to you that Windows 7 might have been the issue, any DHCP Snooping false positives would be handy to know about.
Googling around, there have been some instances reported with people running a competitors switch setup (not sure if I can mention their name here! ) and they’re seeing the same issue with DHCP Snooping enabled and Windows 7 being used. So I’m pretty certain it’s in no way an issue with Extreme’s implementation. Take this thread as an example:
http://www.pronetworks.org/forums/win...
Shows someone also noticing/experiencing the issue, so I’m hoping there are more people here.
Many thanks for takign the time to read all of it if you got this far! 🙂
(from Shaun_Kent)
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Feb 19 2013 12:17PM
Thanks for all the feedback everyone.
Just an update to let you know that Microsoft should be working on a hotfix as we speak. I will be getting a private release to test, if all goes well, you can all expect the public release via Windows Update in April.
Cheers! (from Shaun_Kent)
Thanks for all the feedback everyone.
Just an update to let you know that Microsoft should be working on a hotfix as we speak. I will be getting a private release to test, if all goes well, you can all expect the public release via Windows Update in April.
Cheers! (from Shaun_Kent)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Jan 23 2013 1:19PM
Hi All,
we observed the same issues. DHCP snooping is on and under normal circumstances it works perfect. Since we have Dell Notebooks with W7 Pro we got randomly messages that "DHCP violation occured. Blocking MAC ... temporarily. And "A Rogue DHCP server with IP 0.0.0.0 was detected on port .." This only occurs when the notebook starts up. The users didn't mentioned or didn't noticed that the logon process took longer.
Regards, Jack Mikel (from Hans-Michael_Dudek)
Hi All,
we observed the same issues. DHCP snooping is on and under normal circumstances it works perfect. Since we have Dell Notebooks with W7 Pro we got randomly messages that "DHCP violation occured. Blocking MAC ... temporarily. And "A Rogue DHCP server with IP 0.0.0.0 was detected on port .." This only occurs when the notebook starts up. The users didn't mentioned or didn't noticed that the logon process took longer.
Regards, Jack Mikel (from Hans-Michael_Dudek)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Jan 15 2013 3:20PM
Hello,
I am using DHCP Snooping on my corporate network too.
Every few days I get false-positive DHCP-Alerts. From Extreme Switches as well as from HP Switches.
It seems like Windows 7 would sporadically reflect a DHCP-Offer, but replaces Source-MAC with its own and Source-IP with 0.0.0.0. The "DHCP Server Identifier" in the packet still contains the IP from the original DHCP-Server.
I asked the users what they have done when the DHCP-Alert occured, one docked his notebook into the docking station, another restored an image. But we were not able to reproduce the problem.
By the way: Since Windows 7 we also have problems with DHCP Broadcast Storms and IP-Address Conflicts. When someone dismounts his HDD from Computer A and installs it in Computer B, Windows still uses the old IP-Address, it doesn't request a new one. Requirements to reproduce it: Windows 7, DHCP-Reservation (no Pool-IP), enabled APIPA (not disabled in registry). Workaround: I set a registry key to instruct Windows to release the IP-Address on shutdown: HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\\ReleaseOnShutDown = 1 (REG_DWORD)
Best regards,
Michael (from MichaelM)
Hello,
I am using DHCP Snooping on my corporate network too.
Every few days I get false-positive DHCP-Alerts. From Extreme Switches as well as from HP Switches.
It seems like Windows 7 would sporadically reflect a DHCP-Offer, but replaces Source-MAC with its own and Source-IP with 0.0.0.0. The "DHCP Server Identifier" in the packet still contains the IP from the original DHCP-Server.
I asked the users what they have done when the DHCP-Alert occured, one docked his notebook into the docking station, another restored an image. But we were not able to reproduce the problem.
By the way: Since Windows 7 we also have problems with DHCP Broadcast Storms and IP-Address Conflicts. When someone dismounts his HDD from Computer A and installs it in Computer B, Windows still uses the old IP-Address, it doesn't request a new one. Requirements to reproduce it: Windows 7, DHCP-Reservation (no Pool-IP), enabled APIPA (not disabled in registry). Workaround: I set a registry key to instruct Windows to release the IP-Address on shutdown: HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\
Best regards,
Michael (from MichaelM)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Jan 9 2013 3:55PM
I have definitely seen this on my network, quite a bit actually. I haven't been able to trace it down to windows 7 specifically but that seems to be a common thread (I hadn't found enough machines in time to confirm that was the culprit.) (from Ansley_Barnes)
I have definitely seen this on my network, quite a bit actually. I haven't been able to trace it down to windows 7 specifically but that seems to be a common thread (I hadn't found enough machines in time to confirm that was the culprit.) (from Ansley_Barnes)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Jan 7 2013 11:55AM
Thanks PJ, are you investigating every instance of this happening or pretty much ignoring anything which shows up with 0.0.0.0 ?
Also, have you noticed any delay in obtaining an IP address with DHCP snooping enabled? Either via Windows clients or say Avaya (or other VoIP based) phones?
Cheers! (from Shaun_Kent)
Thanks PJ, are you investigating every instance of this happening or pretty much ignoring anything which shows up with 0.0.0.0 ?
Also, have you noticed any delay in obtaining an IP address with DHCP snooping enabled? Either via Windows clients or say Avaya (or other VoIP based) phones?
Cheers! (from Shaun_Kent)
