none
Weird MAC on DHCP 31202e3235332e302e RRS feed

  • Question

  • Hi,

    I see some weird addresses lease in my DHCP console that's consuming the whole scope. They really take up to 100% of the leases.

    The strange thing are the macs that all start with 31202e3235332e302eXXXXXX - where XXXXXX are random numbers and letters. I've attached an image here to help better.

    I'm coping to find out where this is coming from. If it's from a pc, laptop or other network device...

    Has anyone gone thru this before??

    Cheers


    • Edited by tyler55 Thursday, October 18, 2012 2:32 PM
    Thursday, October 18, 2012 2:32 PM

Answers

  • Hi,

    Thank you for the post.

    Based on my experience, client unique id started with “31302e” may be come from some VoIP device in your company.

    Regards,


    Nick Gu - MSFT

    Friday, October 19, 2012 1:47 AM
    Moderator
  • Wow, you are very limited with your options. Apparently there's not much you can do about it. If you see the lease, just delete it. If you like, you can create a Reservation for that MAC and give it some an IP that you can block on the router or create a WIndows Firewall or IPSec filter to block that IP on the DC/DNS server, so when he connects again, he'll get an IP that won't be able to access the internet. :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, October 24, 2012 5:05 PM

All replies

  • Hi,

    Thank you for the post.

    Based on my experience, client unique id started with “31302e” may be come from some VoIP device in your company.

    Regards,


    Nick Gu - MSFT

    Friday, October 19, 2012 1:47 AM
    Moderator
  • Hi Nick, thanks for that. Do you know how I can identify which device this(these are) is?

    This doesn't happen too often so I wonder if I can ever catch the user that comes in the office from time to time with it...

    Friday, October 19, 2012 11:06 AM
  • Hi,

    Thank you for the update.

    No, you cannot identify the device from the DHCP console.

    Regards,


    Nick Gu - MSFT

    Wednesday, October 24, 2012 3:50 AM
    Moderator
  • Does anyone come into the office with a router capable of VoIP? Or bring in their own VoIP phone and plug it into a network port?

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, October 24, 2012 4:19 AM
  • Or if you have a managed switch, grab the MAC address, and look it up on your switch to see which port it is.

    You can setup NAP for DHCP to prevent unauthorized leases.

    Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab
    http://www.microsoft.com/en-us/download/details.aspx?id=2409


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, October 24, 2012 4:24 AM
  • Hello Ace, thanks for the posts.

    As for the VOIP, I can't tell because this is a remote site in another country. There's no one from IT there, so it could be anyone bringing in any kind of dodgy device...
    As for NAP, we are on 2003 yet... 2008 R2 to come next year, hopefully.
    Checking the network switch/router is not an option. The network analyst is not willing to help, in other words.

    It seems I'm stuck with this yet since the proposed options are not feasible due to the way my company is structured... :(

    Wednesday, October 24, 2012 2:19 PM
  • Hi,

    Thank you for the update.

    No, you cannot identify the device from the DHCP console.

    Regards,


    Nick Gu - MSFT


    Yes I'm well aware of that.
    Wednesday, October 24, 2012 2:19 PM
  • Wow, you are very limited with your options. Apparently there's not much you can do about it. If you see the lease, just delete it. If you like, you can create a Reservation for that MAC and give it some an IP that you can block on the router or create a WIndows Firewall or IPSec filter to block that IP on the DC/DNS server, so when he connects again, he'll get an IP that won't be able to access the internet. :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, October 24, 2012 5:05 PM
  • Indeed limited. That's what happens when big companies decide to have separate specialist teams.

    I can't reserve the IP because the MACs are different, thefore they take up all available addresses. The worst is that this doesn't happen often. It could happen today, in a week, in a few months. So it's really a puzzle.

    Anyway, I got wireshark installed on the DHCP to identify where it's coming from.

    Thanks once again.

    Wednesday, October 24, 2012 5:10 PM
  • Sounds like a good plan, based on your circumstances. Keep us updated, please.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, October 25, 2012 4:09 AM
  • Did you ever try converting the unique IDs from Hex to ASCII? Someone once suggested that when troubleshooting a similar DHCP problem and the translated ASCII read like a DNS name or VLAN name, or something.

    In your case, the unique IDs translate into IP addresses that belong to some other scope. Your very first example 31302e3235332e302e313000 translated to 10.253.0.10 with an extra zero; usually an end-of-string delimiter for C/C++ strings.

    --

    • Proposed as answer by JoeSinc Wednesday, September 6, 2017 8:27 AM
    Wednesday, August 6, 2014 4:38 PM
  • I have the same problem here now.  Has anyone ever figured out how to trace down these bogus addresses or what is creating them?

    I have tried Wireshark tap and deleted the bad addresses, then reconciled and then came back of course.  Then I filtered my Wireshark tap on just DHCP info and it never even showed one of those bad addresses coming back, although I see them in my DHCP leases.  This is bizarre.  There is no MAC address to trace down from the switches either.  The long "MAC" addresses that are shown are just the ASCII version of the IP address they take.

    Thursday, October 30, 2014 1:51 PM
  • Might be a bit late to reply on this but we're experiencing the same issue and it's caused by Kaspersky in our environment.  KES10 to be exact.  A quick google search will get you more info or log a case with Kaspersky.

    Hope that helps someone.

    • Proposed as answer by Olwen Davies Tuesday, April 14, 2015 3:00 AM
    Wednesday, April 1, 2015 2:02 AM
  • http://forum.kaspersky.com/lofiversion/index.php/t290389.html

    Tuesday, April 14, 2015 3:00 AM
  • In my case, it started when we enabled Windows Firewall for Domain Networks on Windows 7 machines so we disabled it back and the issue with DHCP is resolved.
    • Edited by cbapora Thursday, June 9, 2016 1:45 PM
    Thursday, June 9, 2016 1:44 PM
  • Hello,

    Read this, may be help: http://camratus.com/2017/07/26/deal-with-dhcp-server-ip-exhausted/

    Regards,

    T.

    Wednesday, July 26, 2017 10:19 AM
  • Check VLAN Trunking on the DHCP Server's switchport. 

    This is exactly what mine looked like when it wasn't configured correctly.

    Tuesday, August 7, 2018 9:56 PM