Share via

multiple DHCP ACKS

Question

Wednesday, September 7, 2011 5:54 PM

I am running a mixed environment of windows 2008r2 servers and windows 2003 servers.  The servers are arranged in a hub and spoke method with the Hub at a co-location facility and the spokes at remote offices.  The DHCP Scopes are split with 1/2 of a range listed on the hub dhcp server and 1/2 the range at the spoke server.  The spoke sites are remote and connected with a variety of broadband links.  The routing devices were set to use helper addresses, they currently are not because of troubleshooting this issue.

I have been observing an issue  with DHCP and I dont know whether its expected or not.  I am investigating a performance issue at one of our sites and I notice that (through the microsoft network monitor) DHCP server is sending out multiple DHCP ACK's to individual clients, something on the order of one every 60 seconds.  A second packet sniff on the LAN itself shows the clients sending multiple DHCP REQUEST with the INFORM  MSG.  These are sent to the broadcast address (255.255.255.255) for the local subnet.  The broadcasts are not traversing the routers but that seems a lot of spurious DHCP activity for a 4part converstation that should last for 8 days on the lease time.

From the server perspective there are multiple direct (unicast) DHCP ACK's to an individual client, but there are also multiple DHCP ACK's to all addresses in the subnet (255.255.255.255).  

I understand that there will be some of this kind of traffic but why is it occuring so often in both the unicast and the broadcast sense.  (just to confirm when you look at the frame info on the packets sometimes the broadcast flag is at 1 and sometimes it is at 0).

I turned off the helper addresses in this particular subnet because I found information stating that it can cause spurious DHCP messages and responses, I also found a reghack about how broadcast packets are treated when they traverse a relay (router/helper), but all DHCP addressing should be happening locally on the same subnet.  It should not traverse the router anymore and (according to the dhcp lease table) it is only pulling addresses from the spoke dhcp server.

The clients are not running a software firewall of any sort, we are in a full active directory managed domain.

Clients are getting a DHCP address, I need to know why so much traffic is generated per client, and why it seems to be ongoing, also I need to know why the server and clients are hitting the broadcast address (255.255.255.255) multiple times.  This issue seems to be happening on both windows 2008r2 servers and windows 2003 servers.  The clients are Windows 7.

All replies (8)

Wednesday, September 7, 2011 6:00 PM

I am running a mixed environment of windows 2008r2 servers and windows 2003 servers.  The servers are arranged in a hub and spoke method with the Hub at a co-location facility and the spokes at remote offices.  The DHCP Scopes are split with 1/2 of a range listed on the hub dhcp server and 1/2 the range at the spoke server.  The spoke sites are remote and connected with a variety of broadband links.  The routing devices were set to use helper addresses, they currently are not because of troubleshooting this issue.

I have been observing an issue  with DHCP and I dont know whether its expected or not.  I am investigating a performance issue at one of our sites and I notice that (through the microsoft network monitor) DHCP server is sending out multiple DHCP ACK's to individual clients, something on the order of one every 60 seconds.  A second packet sniff on the LAN itself shows the clients sending multiple DHCP REQUEST with the INFORM  MSG.  These are sent to the broadcast address (255.255.255.255) for the local subnet.  The broadcasts are not traversing the routers but that seems a lot of spurious DHCP activity for a 4part converstation that should last for 8 days on the lease time.

From the server perspective there are multiple direct (unicast) DHCP ACK's to an individual client, but there are also multiple DHCP ACK's to all addresses in the subnet (255.255.255.255).  

I understand that there will be some of this kind of traffic but why is it occuring so often in both the unicast and the broadcast sense.  (just to confirm when you look at the frame info on the packets sometimes the broadcast flag is at 1 and sometimes it is at 0).

I turned off the helper addresses in this particular subnet because I found information stating that it can cause spurious DHCP messages and responses, I also found a reghack about how broadcast packets are treated when they traverse a relay (router/helper), but all DHCP addressing should be happening locally on the same subnet.  It should not traverse the router anymore and (according to the dhcp lease table) it is only pulling addresses from the spoke dhcp server.

The clients are not running a software firewall of any sort, we are in a full active directory managed domain.

Clients are getting a DHCP address, I need to know why so much traffic is generated per client, and why it seems to be ongoing, also I need to know why the server and clients are hitting the broadcast address (255.255.255.255) multiple times.  This issue seems to be happening on both windows 2008r2 servers and windows 2003 servers.  The clients are Windows 7.

Wednesday, September 7, 2011 7:02 PM

Hello,

please stick to one for the same problem:

http://social.technet.microsoft.com/Forums/en/winservergen/thread/8868733d-8823-43ac-b8c8-d7f525e7302d

Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Saturday, September 10, 2011 8:21 PM

I have some notes on this. See if they help understand what's going on:

=======
Windows 7 DHCP Lease Behavior is different than Windows XP

DHCP Client Behavior
http://blogs.technet.com/b/networking/archive/2009/01/29/dhcp-client-behavior.aspx

If the DHCP client obtained a lease from a DHCP server on a previous occasion, and the lease is still valid (not expired) at system startup, the client tries to renew its lease.  If, during the renewal attempt, the client fails to locate any DHCP server, it attempts to ping the default gateway listed in the lease, and proceeds in one of the following ways:

•If the ping is successful, the DHCP client assumes that it is still located on the same network where it obtained its current lease, and continues to use the lease as long as the lease is still valid.  By default the client then attempts, in the background, to renew its lease when 50 percent of its assigned lease time has expired.
•If the ping fails, the DHCP client assumes that it has been moved to a network where a DHCP server is not available.  The client then auto-configures its IP address by using the settings on the Alternate Configuration tab.  When the client is auto-configured, it attempts to locate a DHCP server and obtain a lease.

As a workaround, you can force a Windwos Vista or Windows 7 DHCP client to keep the old DHCP lease by adding registry key “DontPingGateway” if connectivity fails, see the resolution in the KB article below:

Windows Vista does not keep its DHCP IP address if a DHCP server is not available (works for Windows 7, too):
http://support.microsoft.com/kb/958336

References and previous discussions on this topic:

Clients get autoconfig address when DHCP server is down
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0f1a6d43-aca1-41c7-bac8-a24632a34644

How can Windows 7 Client hold DHCP Config after reboot without DHCP Server running?
http://social.technet.microsoft.com/forums/en-us/winserverNIS/thread/245EF423-F2CA-42CD-8CAF-8B12D4565633

Windows 7 machines not getting DHCP IP !!!!URGENT!!!!!!
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c5f0c1b3-b6bf-465c-9b96-5ea1c9198bbc

DHCP renewal does not work on windows 7 http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/2a18bb78-211a-42e4-809a-8be4133149e6

renewal does not work on windows 7 http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/2a18bb78-211a-42e4-809a-8be4133149e6

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Tuesday, September 13, 2011 9:15 AM

hi,

By checking your information, I provided some reference for you to understand how the Windows 7 client behave for the server below:

Clients get autoconfig address when DHCP server is down
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0f1a6d43-aca1-41c7-bac8-a24632a34644

How can Windows 7 Client hold DHCP Config after reboot without DHCP Server running?
http://social.technet.microsoft.com/forums/en-us/winserverNIS/thread/245EF423-F2CA-42CD-8CAF-8B12D4565633

Windows 7 machines not getting DHCP IP !!!!URGENT!!!!!!
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c5f0c1b3-b6bf-465c-9b96-5ea1c9198bbc

DHCP renewal does not work on windows 7
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/2a18bb78-211a-42e4-809a-8be4133149e6

If you think your DHCP server encountered the incorrect, please help me garther the Netmon logs for analysis by following the steps below:

Please help me capture a network traces for your issue so that I can find some error transmission during the procedure.

 

a. Download Microsoft Network Monitor Tool from the following link and install it on the problematic client (Windows 7) and all the DHCP servers.

  http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f 

 

                b. Start Network Monitor at "Start" ->"Program"-> "Microsoft Network Monitor 3.4" -> "Microsoft Network Monitor 3.4" them.

 

c. And then, on the left-panel, check the "LAN connection" and uncheck the other unnecessary connections on them.

 

NOTE: On Windows 7 or Windows 2008(R2) , please right-click "Microsoft Network Monitor 3.4", click "Run as Administrator"

 

d. Click "Tools", click "Options", switch to the "Capture" tap, and set the "Temporary capture file size (MB)" to 400 these two machines.

 

e. Click "New Capture", click "Start" on the Capture menu in the Network Monitor window.

 

f. Now from the client, please perform the following steps:

- Please reproduce the problem:  

  open the cmd prompt command as the administrator and input "ipconfig /release & ipconfig /renew". 

g. After that, click "Stop" on the Capture menu on the DHCP servers and the client, and click "File"->"Save as" to save the captured files. Please send all the files and the log to the workspace. 

Note that: please let me know their IP addresses.

** **

Workspace

==============

URL: https://sftus.one.microsoft.com/choosetransfer.aspx?key=8d5d83aa-ed60-48ca-b3c9-6ac2d83643af

Password: 2A4GmZtKRX

Annie Gu

Wednesday, September 14, 2011 6:20 PM

 

 

Thanks for the replies.  Unfortunately they really are not answering the question, that may be because of the way the question is phrased.

A couple of things to understand:

 

  1. DHCP is working correctly, Clients recieve the correct IP, they are not recieving an APIPA, everything is working.
  2. Each site should have two DHCP Servers with the scope split between the two.  One DHCP server is on the local subnet, one is on a remote subnet.
  3. For troubleshooting any DHCP helpers or relays have been disabled so the remote DHCP server should not be servicing any requests (it isn't by the way), all DHCP requests are being handled by the dhcp server on the local subnet.

What I understand is supposed to be happening is this.

  1. The client sends out a DHCPDISCOVER request to a broadcast address (255.255.255.255) to find out the DCHP server.
  2. The Server sends out a DHCPOFFER reply to a broadcast address (255.255.255.255) but it contains the physical address (mac) of the originating client by way of the reply.
  3. The client sends out a DHCPREQUEST request again to a broadcast address (255.255.255.255) to request an IP from the server and make sure its not used elsewhere.
  4. The Server responds to the DHCPREQUEST with a DHCPACK/DHCPNACK  to a broadcast address saying its OK to use the IP.

At that point the DHCP address is least for 8 days (in our environment) DHCP traffic should minimize between the DHCP Server and Client.

This is what is happening based on the network monitor in our network.

  1. The Clients receive their DHCP assigned addresses, then if you look at the NETMON running on the dhcp server you see a DHCPACK go out to the client approximately every 60 seconds.  So it looks like this:

DHCPSERVER -->CLIENT1  DHCPACK

60sec later

DHCPSERVER -->CLIENT1  DHCPACK

60sec later

DHCPSERVER -->CLIENT1  DHCPACK

and so on.  

At no point do you see the client making requests to the dhcp server, and after the initial DHCPOFFER packet goes out from the server no further DHCPOFFER packets are going out to the client.  The client has a working IP address.

  1. My question is "WHY SO MANY DHCPACK's" go back to the client.  Why if the client is not requesting a renewal every 60sec is it still necessary to transmit a DHCPACK to the client.
  2. Another possibility is that the client is requesting periodic renewals every 60sec but its not showing up as a DHCPDISCOVER/DHCPREQUEST packet.
  3. A third possibility is because DHCP sends out an DHCPACK on every request to a broadcast address (255.255.255.255) those would by necessity show up as individual DCHPACK's too.  

I hope this makes more sense.

Wednesday, September 14, 2011 7:05 PM

Ok I have some updated information on this.

It looks like the DHCPACK's are happening in response to the a Request from the client.  The description of the packed is DHCP:Request, MsgType = INFORM.

So the server is replying with the DHCPACK to the INFORM request.  

 

All of which leads me to the question, What are the INFORM requests for and how do I keep them from happening so often?

 

Thursday, September 15, 2011 9:32 AM

Hi,

Based on your current status, I did some research to give an explanation about the DHCP INFORM request.

I quote a section of the article below for reference:  

• For member servers (a server joined to a domain that is part of the enterprise), the DHCP server queries AD DS for the list of authorized DHCP server IP addresses.
If the server finds its IP address in the authorized list, it initializes and starts providing DHCP service to clients. If it does not find itself in the authorized list, it does not initialize and stops providing DHCP services.
When installed in a multiple forest environment, DHCP servers seek authorization from within their forest only. Once authorized, DHCP servers in a multiple forest environment lease IP addresses to all reachable clients. Therefore, if clients from another forest are reached using routers with DHCP/BOOTP forwarding enabled, the DHCP server leases IP addresses to them.
If AD DS is not available, the DHCP server continues to operate in its last known state.

• For stand-alone servers (a server not joined to any domain or part of an existing enterprise). When the DHCP service starts, it sends a DHCP information message (DHCPINFORM) request to the reachable network, using the local limited broadcast address (255.255.255.255) to locate the root domain on which other DHCP servers are installed and configured.
This message includes several vendor-specific option types that are known and supported by other DHCP servers running Windows Server 2003 and Windows Server 2008. When received by other DHCP servers, these option types enable the query and retrieval of information about the root domain. When queried, the other DHCP servers reply with DHCP acknowledgement messages (DHCPACK) to both acknowledge and answer with Active Directory root domain information.
If the stand-alone server receives no reply, it initializes and starts providing DHCP services to clients. If the stand-alone server receives a reply from a DHCP server that is authorized in AD DS, the stand-alone server does not initialize and does not provide DHCP services to clients.

So in your situation, I would like to know if the DHCPACK is the responding to the DHCP INFORM request? How can you sure the DHCPACK is the response to the client request?

Thanks,

Best regards

Sunday, November 20, 2011 5:27 AM

Was there ever any resolution to this?  My wife just brought home a brand new Win7 laptop today (home premium sp1) and I am getting DHCPINFORM packets from it every 60 seconds.  I have 4 other win7 machines in the home network and none of them exhibit this behavior.  Any idea what would cause this, and more importantly, how I can get it to stop and only do the normal renewal at 1/2 the timeout interval?