[ previous ] [ next ] [ threads ]
 
 From:  =?iso-8859-1?Q?S=F8ren_Vanggaard_Jensen?= <svanggaard at hotmail dot com>
 To:  "'Anders Hagman'" <anders dot hagman at netplex dot se>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] DHCPDECLINE
 Date:  Thu, 26 Mar 2009 21:12:32 +0100
But the client does  not get any arp reply. I cannot ping or otherwise
contact the declined address.

The Vista client will retry to get an address -  a new IP is offered. This
sequence keeps looping for 100 different IP/DHCP offers. 



-----Original Message-----
From: Anders Hagman [mailto:anders dot hagman at netplex dot se] 
Sent: 26. marts 2009 09:30
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] DHCPDECLINE

Hi

The only thing I found was a device stealing the address.


> Hi,
>  
> I REALLY need your help with this one....
>  
> I have a wireless network. All accesspoints are sitting behind 
> monowall
> (net5501 + embedded image). Most clients connect without problems. 
> However, a few VISTA clients are unable to obtain an IP address vis
monowall DHCP.
>  
> If the VISTA machine is left connected, chances are, that the client 
> will
> (temporarily) get an IP address after a day or two.  This is of course 
> unacceptable. The problem only affects some VISTA machines.
>  
> I've tried just about everything - including VISTA registry fixes, 
> disabling IPv6, adding broadcast flag to dhcpd.conf etc. etc.
>   
> Below I've pasted a wireshark capture taken on one of the affected
machines.
> For no apparent reason the VISTA Home Premium (SP1) declines the address.
> This loop continues endlessly. Please, Please, Please take a look at 
> the below trace and let me know i you have any ideas regarding solving 
> this problem.
> 
> Monowall is at 10.0.10.1 (mac 00:00:24:cb:1f:9e) Client has mac 
> 00:15:af:30:bc:95
> 
> BR

> 
> 
> No.     Time            Source                Destination
Protocol
> Info
>      13 15:31:11.982579 0.0.0.0               255.255.255.255       DHCP
> DHCP Discover - Transaction ID 0x1df18178
>  
> Frame 13 (342 bytes on wire, 342 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67) 
> Bootstrap Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      14 15:31:12.025251 Olicom_cb:1f:9e       Broadcast             ARP
> Who has 10.0.10.157?  Tell 10.0.10.1
>  
> Frame 14 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      15 15:31:12.046721 10.0.10.1             255.255.255.255       DHCP
> DHCP Offer    - Transaction ID 0x1df18178
>  
> Frame 15 (342 bytes on wire, 342 bytes captured) Ethernet II, Src: 
> Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 10.0.10.1 (10.0.10.1), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68) 
> Bootstrap Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      16 15:31:12.047595 0.0.0.0               255.255.255.255       DHCP
> DHCP Request  - Transaction ID 0x1df18178
>  
> Frame 16 (350 bytes on wire, 350 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67) 
> Bootstrap Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      17 15:31:12.098901 10.0.10.1             255.255.255.255       DHCP
> DHCP ACK      - Transaction ID 0x1df18178
>  
> Frame 17 (342 bytes on wire, 342 bytes captured) Ethernet II, Src: 
> Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 10.0.10.1 (10.0.10.1), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68) 
> Bootstrap Protocol
>  

Now the PC has the address 10.0.10.157 but should test the address with a
gratuitous ARP to assure that the address isn't used. It does not, it starts
to  use the address for IGMP, LLMNR and DNS.

> No.     Time            Source                Destination
Protocol
> Info
>      18 15:31:12.126594 10.0.10.157           224.0.0.252           IGMP
> V2 Membership Report
>  
> Frame 18 (46 bytes on wire, 46 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:fc (01:00:5e:00:00:fc)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.252
> (224.0.0.252)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      19 15:31:12.127938 10.0.10.157           224.0.0.252           UDP
> Source port: 58869  Destination port: 5355
>  
> Frame 19 (66 bytes on wire, 66 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:fc (01:00:5e:00:00:fc)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.252
> (224.0.0.252)
> User Datagram Protocol, Src Port: 58869 (58869), Dst Port: 5355 (5355) 
> Data (24 bytes)
>  
> 0000  38 cc 00 00 00 01 00 00 00 00 00 00 06 70 6f 75   8............pou
> 0010  6c 50 43 00 00 ff 00 01                           lPC.....
>  
> No.     Time            Source                Destination
Protocol
> Info
>      20 15:31:12.170162 10.0.10.157           239.255.255.250       IGMP
> V2 Membership Report
>  
> Frame 20 (46 bytes on wire, 46 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 
> 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      21 15:31:12.181241 10.0.10.157           10.0.10.255           NBNS
> Registration NB POULPC<00>
>  
> Frame 21 (110 bytes on wire, 110 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 10.0.10.255
> (10.0.10.255)
> User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: 
> netbios-ns
> (137)
> NetBIOS Name Service
>  
> No.     Time            Source                Destination
Protocol
> Info
>      22 15:31:12.208508 10.0.10.157           10.0.10.1             DNS
> Standard query A isatap.bogenseferiepark.local
>  
> Frame 22 (89 bytes on wire, 89 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> Olicom_cb:1f:9e (00:00:24:cb:1f:9e)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 10.0.10.1
> (10.0.10.1)
> User Datagram Protocol, Src Port: 54173 (54173), Dst Port: domain (53) 
> Domain Name System (query)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      23 15:31:12.228246 10.0.10.157           224.0.0.252           UDP
> Source port: 58869  Destination port: 5355
>  
> Frame 23 (66 bytes on wire, 66 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:fc (01:00:5e:00:00:fc)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.252
> (224.0.0.252)
> User Datagram Protocol, Src Port: 58869 (58869), Dst Port: 5355 (5355) 
> Data (24 bytes)
>  
> 0000  38 cc 00 00 00 01 00 00 00 00 00 00 06 70 6f 75   8............pou
> 0010  6c 50 43 00 00 ff 00 01                           lPC.....
>  
> No.     Time            Source                Destination
Protocol
> Info
>      24 15:31:12.233147 Olicom_cb:1f:9e       Broadcast             ARP
> Who has 10.0.10.157?  Tell 10.0.10.1
>  
> Frame 24 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      25 15:31:12.233166 Azurewav_30:bc:95     Olicom_cb:1f:9e       ARP
> 10.0.10.157 is at 00:15:af:30:bc:95
>  
> Frame 25 (42 bytes on wire, 42 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> Olicom_cb:1f:9e (00:00:24:cb:1f:9e)
> Address Resolution Protocol (reply)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      26 15:31:12.258990 10.0.10.1             10.0.10.157           DNS
> Standard query response, No such name
>  
> Frame 26 (89 bytes on wire, 89 bytes captured) Ethernet II, Src: 
> Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst:
> Azurewav_30:bc:95 (00:15:af:30:bc:95)
> Internet Protocol, Src: 10.0.10.1 (10.0.10.1), Dst: 10.0.10.157
> (10.0.10.157)
> User Datagram Protocol, Src Port: domain (53), Dst Port: 54173 (54173) 
> Domain Name System (response)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      27 15:31:12.287608 10.0.10.157           224.0.0.2             IGMP
> V2 Leave Group
>  
> Frame 27 (46 bytes on wire, 46 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:02 (01:00:5e:00:00:02)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.2
> (224.0.0.2)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      28 15:31:12.289184 10.0.10.157           239.255.255.250       IGMP
> V2 Membership Report
>  
> Frame 28 (46 bytes on wire, 46 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 
> 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      29 15:31:12.321030 10.0.10.157           224.0.0.2             IGMP
> V2 Leave Group
>  
> Frame 29 (46 bytes on wire, 46 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:02 (01:00:5e:00:00:02)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.2
> (224.0.0.2)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      30 15:31:12.322368 10.0.10.157           239.255.255.250       IGMP
> V2 Membership Report
>  
> Frame 30 (46 bytes on wire, 46 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 
> 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      31 15:31:12.326139 10.0.1.2              239.255.255.250       IGMP
> V2 Membership Query
>  
> Frame 31 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> Draytek_f0:17:c5 (00:50:7f:f0:17:c5), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.1.2 (10.0.1.2), Dst: 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      32 15:31:12.359793 10.0.1.2              239.255.255.250       IGMP
> V2 Membership Query
>  
> Frame 32 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> Draytek_f0:17:c5 (00:50:7f:f0:17:c5), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.1.2 (10.0.1.2), Dst: 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  

Now the Gratuitous ARP comes. Just one.

> No.     Time            Source                Destination
Protocol
> Info
>      33 15:31:12.480069 Azurewav_30:bc:95     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 33 (42 bytes on wire, 42 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      34 15:31:12.480210 10.0.10.157           224.0.0.252           IGMP
> V2 Membership Report
>  
> Frame 34 (46 bytes on wire, 46 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:fc (01:00:5e:00:00:fc)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.252
> (224.0.0.252)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination
Protocol
> Info
>      35 15:31:12.480245 10.0.10.157           239.255.255.250       IGMP
> V2 Membership Report
>  
> Frame 35 (46 bytes on wire, 46 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 
> 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  

Heres 9 Gratuitous ARP from bc:95:81:00:00:0f for the same IP address
10.0.10.157. Who is  this? Does this device run DHCP? The OUI bc:95:81 is
not valid.

> No.     Time            Source                Destination
Protocol
> Info
>      36 15:31:12.525878 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 36 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      37 15:31:12.533467 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 37 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      38 15:31:12.537248 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 38 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      39 15:31:12.539246 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 39 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      40 15:31:12.541225 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 40 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      41 15:31:12.543854 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 41 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      42 15:31:12.545738 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 42 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      43 15:31:12.547597 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 43 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination
Protocol
> Info
>      44 15:31:12.549569 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 44 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 
> bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
> 

The first PC gives up and sends a decline.

> No.     Time            Source                Destination
Protocol
> Info
>      45 15:31:12.621206 0.0.0.0               255.255.255.255       DHCP
> DHCP Decline  - Transaction ID 0x1df18178
>  
> Frame 45 (342 bytes on wire, 342 bytes captured) Ethernet II, Src: 
> Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67) 
> Bootstrap Protocol
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

Look at the bc:95:81:00:00:0f-box.

BR
/Anders


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch