This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: DHCP Snooping False Positives
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
DHCP Snooping False Positives
DHCP Snooping False Positives
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Dec 20 2012 11:51AM
Hello All!
I’ve been using DHCP Snooping on my corporate network and its working as I would expect, apart from a few oddities. Which I would like to point out to you guys and hopefully find people seeing similar.
The main focus is an issue we've been experiencing with Windows 7 clients sending DHCP Offer packets instead of acknowledgement/request packets. This causes DHCP snooping to kick into life and to either disable the port or drop the packet, which is what we have it set too after the issues we are seeing. This then causes a log message informing us that an untrusted source has sent a DHCP offer of 0.0.0.0, which we then get alerted on via our syslog server.
When this happens it can also take the client PC longer to obtain an IP address. The symptoms/circumstances that can cause this to happen have been tested extensively and we’ve confirmed they are consistent. However, that’s not to say it will always trigger the offer packet from the client. It is seemingly random. Generally speaking, when a laptop is moved from a private network, or another subnet within our corporate network, there’s a chance it will send a DHCP offer packet. Please see example below. Entry one, two, four and five are from the DHCP Servers. The third entry is from the client machine, sending an offer packet itself instead of a request/acknowledgement.
58476 12:56:58 16/11/2012 XXX.XXX.XXX.XXX DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58477 12:56:58 16/11/2012 XXX.XXX.XXX.XXX DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58494 12:56:58 16/11/2012 0.0.0.0 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58498 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58507 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
Previously we had set the port to block on detection of rogue DHCP Services, however, with the more wide spread rollout of Windows 7 we changed this to just drop the packet. However the frequency and volume of syslog alerts has increased as you would expect.
Basically, I’ve submitted my findings to Microsoft and they have confirmed it’s a bug in Windows 7 that was introduced with a hotfix pre-SP1. In order for them to be willing to fix it and to release a hotfix to fix the hotfix, they need to gauge the impact on businesses running Windows 7 with DHCP Snooping enabled on their network.
Please can people respond to this thread if they’ve seen some similar behaviour, even if they haven’t been able to explain it please? I’m hoping there are more people out there who have been using DHCP snooping with Windows 7 client s
I would like people to respond to this thread please, especially the people using Windows 7 and DHCP snooping and have seen this issue. Even if it hasn’t occurred to you that Windows 7 might have been the issue, any DHCP Snooping false positives would be handy to know about.
Googling around, there have been some instances reported with people running a competitors switch setup (not sure if I can mention their name here! ) and they’re seeing the same issue with DHCP Snooping enabled and Windows 7 being used. So I’m pretty certain it’s in no way an issue with Extreme’s implementation. Take this thread as an example:
http://www.pronetworks.org/forums/win...
Shows someone also noticing/experiencing the issue, so I’m hoping there are more people here.
Many thanks for takign the time to read all of it if you got this far! 🙂
(from Shaun_Kent)
Hello All!
I’ve been using DHCP Snooping on my corporate network and its working as I would expect, apart from a few oddities. Which I would like to point out to you guys and hopefully find people seeing similar.
The main focus is an issue we've been experiencing with Windows 7 clients sending DHCP Offer packets instead of acknowledgement/request packets. This causes DHCP snooping to kick into life and to either disable the port or drop the packet, which is what we have it set too after the issues we are seeing. This then causes a log message informing us that an untrusted source has sent a DHCP offer of 0.0.0.0, which we then get alerted on via our syslog server.
When this happens it can also take the client PC longer to obtain an IP address. The symptoms/circumstances that can cause this to happen have been tested extensively and we’ve confirmed they are consistent. However, that’s not to say it will always trigger the offer packet from the client. It is seemingly random. Generally speaking, when a laptop is moved from a private network, or another subnet within our corporate network, there’s a chance it will send a DHCP offer packet. Please see example below. Entry one, two, four and five are from the DHCP Servers. The third entry is from the client machine, sending an offer packet itself instead of a request/acknowledgement.
58476 12:56:58 16/11/2012 XXX.XXX.XXX.XXX
58477 12:56:58 16/11/2012 XXX.XXX.XXX.XXX
58494 12:56:58 16/11/2012 0.0.0.0 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58498 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58507 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
Previously we had set the port to block on detection of rogue DHCP Services, however, with the more wide spread rollout of Windows 7 we changed this to just drop the packet. However the frequency and volume of syslog alerts has increased as you would expect.
Basically, I’ve submitted my findings to Microsoft and they have confirmed it’s a bug in Windows 7 that was introduced with a hotfix pre-SP1. In order for them to be willing to fix it and to release a hotfix to fix the hotfix, they need to gauge the impact on businesses running Windows 7 with DHCP Snooping enabled on their network.
Please can people respond to this thread if they’ve seen some similar behaviour, even if they haven’t been able to explain it please? I’m hoping there are more people out there who have been using DHCP snooping with Windows 7 client s
I would like people to respond to this thread please, especially the people using Windows 7 and DHCP snooping and have seen this issue. Even if it hasn’t occurred to you that Windows 7 might have been the issue, any DHCP Snooping false positives would be handy to know about.
Googling around, there have been some instances reported with people running a competitors switch setup (not sure if I can mention their name here! ) and they’re seeing the same issue with DHCP Snooping enabled and Windows 7 being used. So I’m pretty certain it’s in no way an issue with Extreme’s implementation. Take this thread as an example:
http://www.pronetworks.org/forums/win...
Shows someone also noticing/experiencing the issue, so I’m hoping there are more people here.
Many thanks for takign the time to read all of it if you got this far! 🙂
(from Shaun_Kent)
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: May 15 2013 12:05PM
Hello all,
Apologies for the late response. However I come bearing good news! The hotfix has been released publically and you can find information about it here:
http://support.microsoft.com/kb/2824546
Private testing before public release was satisfactory and resolved our issue within the corporate network where it was applied. I hope it also fixes the issues you guys have been seeing similar to me!
Cheers!
(from Shaun_Kent)
Hello all,
Apologies for the late response. However I come bearing good news! The hotfix has been released publically and you can find information about it here:
http://support.microsoft.com/kb/2824546
Private testing before public release was satisfactory and resolved our issue within the corporate network where it was applied. I hope it also fixes the issues you guys have been seeing similar to me!
Cheers!
(from Shaun_Kent)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Hi All
I have been experiencing similar issues on corporate LAN where client machines send DHCP requests very often...about 700-3000 requests in couple of hours....Can you please suggest possible cause and fix.Not all but some of the machines...These machines were updated with drivers but issue persists..
Thanks
Karan
I have been experiencing similar issues on corporate LAN where client machines send DHCP requests very often...about 700-3000 requests in couple of hours....Can you please suggest possible cause and fix.Not all but some of the machines...These machines were updated with drivers but issue persists..
Thanks
Karan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Mar 11 2013 11:37AM
Hi Nerfie
We have the same issue in our network. Did you receive a hotfix from microsoft?
Regards
Markus (from mafumaso )
Hi Nerfie
We have the same issue in our network. Did you receive a hotfix from microsoft?
Regards
Markus (from mafumaso )
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Feb 27 2013 10:58AM
Hello,
Same problem here. We have two Student Residences and discovered DHCP Offer packets from clients with information like:
75462 78.692064000 0.0.0.0 255.255.255.255 DHCP 354 DHCP Offer - Transaction ID 0x1416f5e5
Ethernet II, Src: AsustekC_XX:XX:XX (48:5b:39:XX:XX:XX), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 192.168.1.27 (192.168.1.27) // range not from residence network
Client MAC address: AsustekC_XX:XX:XX (48:5b:39:XX:XX:XX) // client mac address
[Malformed Packet: BOOTP/DHCP]
Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
Hope to ear from you soon with Microsoft latest info regarding the hotfix.
Best Regards,
Eduardo
edit: can you tell us what hotfix is causing this situation? Thanx
(from [eB] )
Hello,
Same problem here. We have two Student Residences and discovered DHCP Offer packets from clients with information like:
75462 78.692064000 0.0.0.0 255.255.255.255 DHCP 354 DHCP Offer - Transaction ID 0x1416f5e5
Ethernet II, Src: AsustekC_XX:XX:XX (48:5b:39:XX:XX:XX), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 192.168.1.27 (192.168.1.27) // range not from residence network
Client MAC address: AsustekC_XX:XX:XX (48:5b:39:XX:XX:XX) // client mac address
[Malformed Packet: BOOTP/DHCP]
Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
Hope to ear from you soon with Microsoft latest info regarding the hotfix.
Best Regards,
Eduardo
edit: can you tell us what hotfix is causing this situation? Thanx
(from [eB] )
