none
DHCP Server is completely ignoring DHCP Discover messages from clients in remote subnet RRS feed

  • Question

  • Hi All,

    I have an issue with a DHCP server that is not responding to "some" DHCP Discover messages that it receives. Here is my setup.

    The DHCP server is setup on a VM running on a Windows Server 2012 R2 Hyper-V host. Next to the DHCP role also the Windows Deployment Services role is deployed on this server because it will have to provide PXE boot services. The VM has two NIC's which are connected via a VMM logical switch to two networks (subnets). For both of these networks in VMM, IP Pools have been created but the IP ranges in the pool have been completely excluded from IP assignments by VMM. The two networks are using the following IP ranges;

    1) 192.168.11.0/24 VLAN 1323
    2) 10.192.11.0/26 VLAN 1323

    The first network is only a dhcp test network. The second network is the main network. It has an routed connection to another (third) network (10.216.127.0/24) in which the clients are located that should get an IP address from the DHCP server in the first network. A DHCP Relay agent has been setup on the network device that is used for the routed connection between network 2 & 3. The DHCP server has the following IP addresses in the two above networks:

    1) 192.168.11.1
    2) 10.192.11.12

    In DHCP two active scopes have been setup for network 1 & 3. Network one only exists at the moment to verify if the DHCP server could hand out IP addresses to "local" devices. This is working fine. When I PXE boot a client VM in the first network everything works as expected. Client receives IP address and is able to do a PXE boot. DHCP DORA flow is completely visible with Wireshark on the DHCP/WDS Server VM. Based on this test I concluded: DHCP/WDS server basic setup is working.

    After this successful step I started testing with the main network number 2.

    There are some clients in this network with network cards that have "Obtain an IP address automatically" configured. The DHCP Discover messages from these devices are received by the server and visible in Wireshark. The DHCP server is picking these messages up I think because both NIC's are connected to the same VLAN (1323) and there is an active scope for 192.168.11.0/24 so the DHCP can hand out IP adresses via the NIC with IP number: 192.168.1.1.

    All these devices are not authorized in the DHCP (MAC) filter defined. So the Discover messages are basically ignored by the DHCP server. The dropping of these messages is visible in the DHCP Server event log and also in the DHCP Statistics as these messages are counted in DHCP "Discovers". When I authorize the MAC address of one of these devices, immediately an IP address is being handed out to this device and the DHCP Statistics are being incremented: 1 Offer, 1 Request, 1 Acks. Also an address lease becomes visible for the authorized device. So far everything working as expected.

    Now for the real issue. When I started testing with devices in the remote subnet (10.216.127.0/24) things are not working as expected. The DHCP Discover messages are being received on the DHCP server. They are visible in Wireshark. I see that the messages are originating from 10.216.127.3. This is my DHCP Relay device. So far still good because the DHCP relay looks to be working. I was expecting it would be picked up by DHCP because this IP address matches with the active scope for 10.216.127.0. It looks like DHCP somehow completely ignores these DHCP Discover messages coming from the remote subnet. These messages are not counted in the DHCP Statistics, nothing is found in the DHCP Server eventlog nor in the DHCP logfiles found in C:\Windows\System32\Dhcp

    I've also disabled the MAC filter completely but no effect. Messages still being ignored.

    Why are the DHCP Discover messages from the remote subnet ignored? Is there a way to debug/trace the DHCP server process to find out why these messages somehow are ignored and others are processed successfully.

    Hope someone has a bright idea for this.

    Regards,

    Peter

    UPDATE: 28-06-2016
    After three days with troubleshooting and tracing network traffic together with Microsoft Premier Support the issue is still not solved. The Microsoft engineer ran out of ideas and is escalating the issue. Still no clue why the DHCP Discover messages are visible in Wireshark and network traces but not answered (No offer) by the DHCP process running on the server and listening to the ports used for DHCP traffic. If there will be an solution for this issue I will post it here.

    This has definitely changed my thoughts on how easy and simple it would be to setup a DHCP server on Windows.

    Wednesday, June 22, 2016 7:16 AM

Answers

  • Hi,

    it turned out there was a GPO active that enabled a Windows Filtering rule that prohibited unicast responses to multicast or broadcast requests. This originated from our enterprise security baseline. When we issued the following command two times: "NET STOP BFE" everthing started working.

    Thanks for all the help.

     Peter
    Monday, July 11, 2016 4:57 AM

All replies

  • Hi,

    1.Can you ping 10.216.127.3 from your DHCP sever?

    2.Does the mask is correct for the VLAN?

    3.Have you tried disabling and recreating the scope?

    4.Is there any other program used port67?You could run Best Practice Anylzer:

    https://technet.microsoft.com/en-us/library/dd759260.aspx

    5.Please try to reset TCP/IP stack:

    https://support.microsoft.com/en-us/kb/299357

    6.Check this:The DHCP server fails to issue address leases for a new scope

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, June 23, 2016 6:08 AM
  • Hi Cartman Shen,

    Thank you for your reply.

    1) Yes, I can ping 10.216.127.3 from my DHCP server
    2) When I configure a static IP on my device in the remote subnet I'm also able to ping the DHCP server. I'm using then the same subnet MASK as I have configured in my DHCP scopes so I assume these are correct.
    3) Yes several times as I have a script to configure the DHCP server
    4) I'm running Windows Server 2012 R2. Is there also a BPA for this OS? The link you provided is for W2K8. I don't think there is another program using the port as it is working correctly for the 192.168.10.0 scope.
    5) Executed the reset of the TCP/IP stack. It removed my static IP assignments. When I reconfigured everything again it turn out the issue was still occurring.
    6) Checked it (even experimented with the super scope) but issue still occurs. Reverted everything back to original configuration. 

    Thursday, June 23, 2016 8:36 AM
  • Hi,

    >>4) I'm running Windows Server 2012 R2. Is there also a BPA for this OS? The link you provided is for W2K8. I don't think there is another program using the port as it is working correctly for the 192.168.10.0 scope.

    Run Best Practices Analyzer Scans and Manage Scan Results

    https://technet.microsoft.com/en-us/library/hh831400(v=ws.11).aspx

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, June 28, 2016 7:11 AM
  • Hi,

    it turned out there was a GPO active that enabled a Windows Filtering rule that prohibited unicast responses to multicast or broadcast requests. This originated from our enterprise security baseline. When we issued the following command two times: "NET STOP BFE" everthing started working.

    Thanks for all the help.

     Peter
    Monday, July 11, 2016 4:57 AM