This one comes up a lot. I've come across the following causes:
1 - Malware just filling up your DHCP scope to break it.
2 - Rouge DHCP server
3 - Broken NIC on some device, never completes the DHCP steps and keeps taking IP's (some times fixed with driver update)
3 - Proxy arp issue. Similar to above. The client gets DHCP offer but before it accepts it will arp the IP to see if anyone is using it. The firewall responds to the arp so the client rejects the IP and starts DHCP request again multiple clients fill up the DHCP rules. Check NAT rules and make sure they have "no-proxy-arp" even if the NAT rule matches different traffic. Look for any any nat rules.
You can look in DHCP logs on the DHCP server
Check arp -a and wireshark looking for dhcp request/offers on the DHCP server.
If the DHCP is being forwarded by an IP helper you'll need to take the capture on the LAN and can check arp on the device that is doing the IP helper
If its just one mac address a quick work around is to make a reservation for that MAC so it always gets the same IP. That way it won't fill up your DHCP scope. Then clear out the DHCP scope.
You also have the option of setting the DHCP lease times down lower. You can get a script/scheduled task to stop/start the DHCP service (clearing down the scope). If you have scripting skills you can look for "BAD_IPADDRESS" entries and delete those with a script.
The longer/better fix is to find the device(s) that are causing the issue and sort them out.
You may also have the option to enable DHCP snooping on your switch. You can configure the switch ports to your DHCP servers so they are the only ones allow to respond to DHCP requests.
https://www.petenetlive.com/KB/Article/0001651
No comments:
Post a Comment