DHCP - Clients do not send a Request

kabamaru

New Member
Joined
Jan 11, 2023
Messages
2
Reaction score
1
Credits
29
Hello everyone

I'm trying to resolve a DHCP mystery. For some reason, devices have stopped sending out a Request to the DHCP server. I can see in the logs that some clients have dropped off the network on the same day and time, and some other devices a day or two later. According to the logs these devices were last communicated with the DHCP server last week, they sent out a Discover, server made an Offer but the client did not respond with a Request and of course there is no ACK.
Nothing has been changed on the server config side. port 67 is listening and restarted the DHCP service with no luck. The clients are a few workstations and network switches. I sorted the workstations by manually entering the IP info but on the network switches the IP info is already, manually, entered when they were set up.

I'm planning to also reboot the server but is there a particular reason, you are aware of that can cause this problem?

Many thanks
 


If I read your post correctly, you have two different kinds of devices (workstations and network switches) and over a period of several days, both types stopped getting IP addresses from your DHCP server.

Can we assume that the workstations and switches are running different software? They aren't all running the same version of Linux, for example?

Without jumping to any conclusions, there is a possibility that something malicious could be propagating in your network. Hopefully not, but I would not rule it out.
-> I would be wary of doing anything that could make things worse or spread malware elsewhere.

Create a throwaway DHCP client and connect it to the network. Does it get an IP address from the DHCP server? Something like a live boot USB Linux installer may be good enough. (Unmount any "real" drives before connecting it to the network.)

Can you test the affected devices on a separate throwaway DHCP testbed? Create a new DHCP server on an isolated network. The network can be a single wire Ethernet cable. See if one of your workstations or switches can obtain an IP address from it. If not, I would start with that. Remember to wipe the DHCP server when you're done!

I would start with those basic troubleshooting steps to see whether the problem is in the DHCP server, the network devices, or both. Your problem is unlikely to be caused by malware, but you must treat it that way until you know otherwise.
 
Hi Sphen

Thank you for your reply. I'm glad to report that this was not related to malware. It was a routing issue on the DHCP server, a simple ping from the DHCP server pointed me to the right direction. I could see in the logs that the communication between DHCP and these particular clients was going through a GW that the DHCP server did not have a route for, so adding the route on the server resolved the mystery.
While trying to resolve this issue, I noticed that the affected workstations had two network cards (different VLans) that were both set to DHCP. As far as, I'm aware this is not recommended, so I've changed one of them to static, so that both network cards pick up the correct DHCP information.

All the best.
 


Top