Hi,

I see some weird addresses lease in my DHCP console that's consuming the whole scope. They really take up to 100% of the leases.

The strange thing are the macs that all start with 31202e3235332e302eXXXXXX - where XXXXXX are random numbers and letters. I've attached an image here to help better.

I'm coping to find out where this is coming from. If it's from a pc, laptop or other network device...

Has anyone gone thru this before??

Cheers

• Edited by tyler55 Thursday, October 18, 2012 2:32 PM

Hi,

Thank you for the post.

Based on my experience, client unique id started with 31302e may be come from some VoIP device in your company.

Regards,

Hi Nick, thanks for that. Do you know how I can identify which device this(these are) is?

This doesn't happen too often so I wonder if I can ever catch the user that comes in the office from time to time with it...

Hi,

Thank you for the update.

No, you cannot identify the device from the DHCP console.

Regards,

Or if you have a managed switch, grab the MAC address, and look it up on your switch to see which port it is.

You can setup NAP for DHCP to prevent unauthorized leases.

Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab
http://www.microsoft.com/en-us/download/details.aspx?id=2409

Hi,

Thank you for the update.

No, you cannot identify the device from the DHCP console.

Regards,

Hello Ace, thanks for the posts.

As for the VOIP, I can't tell because this is a remote site in another country. There's no one from IT there, so it could be anyone bringing in any kind of dodgy device...
As for NAP, we are on 2003 yet... 2008 R2 to come next year, hopefully.
Checking the network switch/router is not an option. The network analyst is not willing to help, in other words.

It seems I'm stuck with this yet since the proposed options are not feasible due to the way my company is structured... :(

Wow, you are very limited with your options. Apparently there's not much you can do about it. If you see the lease, just delete it. If you like, you can create a Reservation for that MAC and give it some an IP that you can block on the router or create a WIndows Firewall or IPSec filter to block that IP on the DC/DNS server, so when he connects again, he'll get an IP that won't be able to access the internet. :-)

Indeed limited. That's what happens when big companies decide to have separate specialist teams.

I can't reserve the IP because the MACs are different, thefore they take up all available addresses. The worst is that this doesn't happen often. It could happen today, in a week, in a few months. So it's really a puzzle.

Anyway, I got wireshark installed on the DHCP to identify where it's coming from.

Thanks once again.

Did you ever try converting the unique IDs from Hex to ASCII? Someone once suggested that when troubleshooting a similar DHCP problem and the translated ASCII read like a DNS name or VLAN name, or something.

In your case, the unique IDs translate into IP addresses that belong to some other scope. Your very first example 31302e3235332e302e313000 translated to 10.253.0.10 with an extra zero; usually an end-of-string delimiter for C/C++ strings.

--

I have the same problem here now.  Has anyone ever figured out how to trace down these bogus addresses or what is creating them?

I have tried Wireshark tap and deleted the bad addresses, then reconciled and then came back of course.  Then I filtered my Wireshark tap on just DHCP info and it never even showed one of those bad addresses coming back, although I see them in my DHCP leases.  This is bizarre.  There is no MAC address to trace down from the switches either.  The long "MAC" addresses that are shown are just the ASCII version of the IP address they take.

Might be a bit late to reply on this but we're experiencing the same issue and it's caused by Kaspersky in our environment.  KES10 to be exact.  A quick google search will get you more info or log a case with Kaspersky.

Hope that helps someone.