Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 18, 2012 2:32 PM | 1 vote
Hi,
I see some weird addresses lease in my DHCP console that's consuming the whole scope. They really take up to 100% of the leases.
The strange thing are the macs that all start with 31202e3235332e302eXXXXXX - where XXXXXX are random numbers and letters. I've attached an image here to help better.
I'm coping to find out where this is coming from. If it's from a pc, laptop or other network device...
Has anyone gone thru this before??
Cheers
All replies (17)
Friday, October 19, 2012 1:47 AM ✅Answered
Hi,
Thank you for the post.
Based on my experience, client unique id started with “31302e” may be come from some VoIP device in your company.
Regards,
Nick Gu - MSFT
Wednesday, October 24, 2012 5:05 PM ✅Answered
Wow, you are very limited with your options. Apparently there's not much you can do about it. If you see the lease, just delete it. If you like, you can create a Reservation for that MAC and give it some an IP that you can block on the router or create a WIndows Firewall or IPSec filter to block that IP on the DC/DNS server, so when he connects again, he'll get an IP that won't be able to access the internet. :-)
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, October 19, 2012 11:06 AM
Hi Nick, thanks for that. Do you know how I can identify which device this(these are) is?
This doesn't happen too often so I wonder if I can ever catch the user that comes in the office from time to time with it...
Wednesday, October 24, 2012 3:50 AM
Hi,
Thank you for the update.
No, you cannot identify the device from the DHCP console.
Regards,
Nick Gu - MSFT
Wednesday, October 24, 2012 4:19 AM
Does anyone come into the office with a router capable of VoIP? Or bring in their own VoIP phone and plug it into a network port?
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, October 24, 2012 4:24 AM
Or if you have a managed switch, grab the MAC address, and look it up on your switch to see which port it is.
You can setup NAP for DHCP to prevent unauthorized leases.
Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab
http://www.microsoft.com/en-us/download/details.aspx?id=2409
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, October 24, 2012 2:19 PM
Hello Ace, thanks for the posts.
As for the VOIP, I can't tell because this is a remote site in another country. There's no one from IT there, so it could be anyone bringing in any kind of dodgy device...
As for NAP, we are on 2003 yet... 2008 R2 to come next year, hopefully.
Checking the network switch/router is not an option. The network analyst is not willing to help, in other words.
It seems I'm stuck with this yet since the proposed options are not feasible due to the way my company is structured... :(
Wednesday, October 24, 2012 2:19 PM
Hi,
Thank you for the update.
No, you cannot identify the device from the DHCP console.
Regards,
Nick Gu - MSFT
Yes I'm well aware of that.
Wednesday, October 24, 2012 5:10 PM
Indeed limited. That's what happens when big companies decide to have separate specialist teams.
I can't reserve the IP because the MACs are different, thefore they take up all available addresses. The worst is that this doesn't happen often. It could happen today, in a week, in a few months. So it's really a puzzle.
Anyway, I got wireshark installed on the DHCP to identify where it's coming from.
Thanks once again.
Thursday, October 25, 2012 4:09 AM
Sounds like a good plan, based on your circumstances. Keep us updated, please.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, August 6, 2014 4:38 PM
Did you ever try converting the unique IDs from Hex to ASCII? Someone once suggested that when troubleshooting a similar DHCP problem and the translated ASCII read like a DNS name or VLAN name, or something.
In your case, the unique IDs translate into IP addresses that belong to some other scope. Your very first example 31302e3235332e302e313000 translated to 10.253.0.10 with an extra zero; usually an end-of-string delimiter for C/C++ strings.
--
Thursday, October 30, 2014 1:51 PM
I have the same problem here now. Has anyone ever figured out how to trace down these bogus addresses or what is creating them?
I have tried Wireshark tap and deleted the bad addresses, then reconciled and then came back of course. Then I filtered my Wireshark tap on just DHCP info and it never even showed one of those bad addresses coming back, although I see them in my DHCP leases. This is bizarre. There is no MAC address to trace down from the switches either. The long "MAC" addresses that are shown are just the ASCII version of the IP address they take.
Wednesday, April 1, 2015 2:02 AM
Might be a bit late to reply on this but we're experiencing the same issue and it's caused by Kaspersky in our environment. KES10 to be exact. A quick google search will get you more info or log a case with Kaspersky.
Hope that helps someone.
Tuesday, April 14, 2015 3:00 AM
http://forum.kaspersky.com/lofiversion/index.php/t290389.html
Thursday, June 9, 2016 1:44 PM
In my case, it started when we enabled Windows Firewall for Domain Networks on Windows 7 machines so we disabled it back and the issue with DHCP is resolved.
Wednesday, July 26, 2017 10:19 AM
Hello,
Read this, may be help: http://camratus.com/2017/07/26/deal-with-dhcp-server-ip-exhausted/
Regards,
T.
Tuesday, August 7, 2018 9:56 PM
Check VLAN Trunking on the DHCP Server's switchport.
This is exactly what mine looked like when it wasn't configured correctly.