Weird DHCP behavior.

Started by arnoudvanderschans, April 16, 2025, 10:21:31 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 16, 2025, 10:21:31 AM Last Edit: April 16, 2025, 10:24:06 AM by arnoudvanderschans
Hi All,

Long time no post, but I'm back again! 😊
I'm experiencing some strange behavior on multiple routers.

One of the routers is running OPNsense 24.7.12_4-amd64, and it will be updated soon (not sure if this issue has already been fixed in a newer version).
It's always at least one device that claims a lot of DHCP adresses, sometimes there are more devices that get multiple adresses and then our DHCP-pool gets full :(.

Here's the DHCP log for one of the leases:

2025-04-16T09:57:23   Error   dhcpd   Abandoning IP address 192.168.6.100: pinged before offer   
2025-04-16T09:57:23   Debug   dhcpd   ICMP Echo reply while lease 192.168.6.100 valid.   
2025-04-16T09:57:23   Error   dhcpd   Reclaiming abandoned lease 192.168.6.100.   
2025-04-16T09:54:56   Error   dhcpd   Abandoning IP address 192.168.6.100: pinged before offer   
2025-04-16T09:54:56   Debug   dhcpd   ICMP Echo reply while lease 192.168.6.100 valid.   
2025-04-16T09:54:56   Error   dhcpd   Reclaiming abandoned lease 192.168.6.100.

Is anyone else seeing this weird behavior as well?
April 16, 2025, 11:06:15 AM #1
Tweak lease times on OPN ?
But you probably want to do some packet captures to see why it happens. Hopefully you don't have more than one dhcp server issuing ips.
April 16, 2025, 11:12:59 AM #2
Hi Cookie,

Thanks for your reply, forgot to post the lease times, but they are set at:
Default: 900.
Maximum: 1800.

Weird thing is that only one device as shown in the attachment claims multiple ip adresses, so no idea why this happens.
And you can see that the lease is only active for like 1 second or so, but the router doesn't automatically remove the leases.

The only dhcpserver in the network is the OPNsense and this happens at more customers where we have an OPNsense running but not all our customers so it's a funky thingy.

April 16, 2025, 05:25:52 PM #3
Hi. I'd be doing packet captures if anything out of curiosity ;)
April 16, 2025, 08:40:37 PM #4
Have you tried the 'ignore client uid' setting? I'm not sure this is the real problem or only hides it, but this sometimes successfully prevents systems from acquiring multiple leases.
In theory there is no difference between theory and practice. In practice there is.
April 17, 2025, 01:47:53 AM #5
What does the ARP table look like?
It may point at devices hogging IPs.
April 26, 2025, 10:37:37 AM #6
Hi All,

I turned off: ignore client uid and because we have a lot of apple endpoints on the client site, i also disabled the mac adres change option on the apple endpoints.

It looks a little bit more stable right now, and i will update the routers to the latest version next week, i will keep you posted!
April 27, 2025, 03:06:17 AM #7
I believe the issue is with your Apple device.

The first step of the DHCP is for the client device to broadcast a DHCP Discover message to identify available DHCP servers on the network. Which means, the DHCP server won't assign any IP to any device unless it receives a request.

April 27, 2025, 06:00:23 AM #8
Nortant, what leads you to think on Apple device might not discover and request?
Deciso DEC697
+crowdsec +wireguard
April 27, 2025, 08:17:22 AM #9
Actually, allocation only happens on DISCOVER with ISC:
https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf#dynamic-address-allocation

The fact that IP conflict prevention happens (ICMP echo attempted) indicates that clients are in INIT state, sending a DISCOVER (versus requesting an extension of their current lease via REQUEST). That the next chapter.
April 28, 2025, 05:06:37 AM #10
Quote from: passeri on April 27, 2025, 06:00:23 AMNortant, what leads you to think on Apple device might not discover and request?

Nono, I don't mean that the Apple device might not discover and request, I mean, the new feature on the Apple device (presumably after ios 18?), private WLAN address could be rotating, I guess if the endpoint device changes its WLAN address (for instance, the signal is weak, the device disconnects and reconnects again and again), it might request a new IP address.

Compared with the DHCP server and the endpoint device, I believe the issue is the endpoint, not the server.

Yeah, I admit that my belief depends on the descriptions he provided.
April 28, 2025, 05:08:51 AM #11 Last Edit: April 28, 2025, 05:12:54 AM by Nortant
Quote from: EricPerl on April 27, 2025, 08:17:22 AMActually, allocation only happens on DISCOVER with ISC:
https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf#dynamic-address-allocation

The fact that IP conflict prevention happens (ICMP echo attempted) indicates that clients are in INIT state, sending a DISCOVER (versus requesting an extension of their current lease via REQUEST). That the next chapter.

Yes, you are right. Forgive my inaccurate choice of words, my point is that the first step comes from the endpoint device, but not the DHCP server.

You cannot view this attachment.
April 28, 2025, 07:32:58 AM #12
I'm not a fan of this diagram. I prefer this one:
You cannot view this attachment.
Print
Go Up Pages1
User actions