DHCPNACK - Client seems to be requesting

Posted on 2011-09-20
Last Modified: 2012-05-12
Before I begin, I didn't set up any of the network in our system. I would have configured things very differently.

That being said, we have several VLANs, and two Win2008 DHCP servers assigning from different pools on each subnet. The DHCP servers are on a different subnet from most of the clients. The router forwards the DHCP requests to the servers' subnet/VLAN. I suppose the requests are acknowledged by whichever server sees them first.

Anyhow, while I realize that this setup is not ideal, it's been working fine until today, when clients on one VLAN began not getting IP addresses.

On one PC, the system log shows a DHCP error timestamped every second. The message is:

The IP address lease for the Network Card with network address 001EC9... has been denied by the DHCP server (The DHCP Server sent a DHCPNACK message).

The message seems to alternate between the two servers' addresses.

I do not see anything DHCP-related in the event logs on the servers. The workstation's MAC does not appear in the leases on either server. My current workaround has been to assign a static address to any PC that's not getting an address. I've rebooted both servers this morning. In at least one case, a PC had a valid IP address, then lost it after coming back from sleep mode.

The servers run DHCP for 20 VLANs and only one is having this issue. No configurations have changed. I'm stumped.
Question by:LSDIT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 18

Expert Comment

ID: 36572658
My first question is whether any hosts on that segment are getting an IP address.  I suspect the error message you're getting is not really telling you the PC is requesting, but that it's not getting an address, so it can only identify itself as

The architecture you're describing is not unusual, and there's nothing wrong with it, as long as the requests are properly forwarded to the DHCP servers. If no PCs on that segment are getting addresses, I would take a look at the switch or router that segment is connected to and make sure it's still set up to forward DHCP requests. It sounds like you're confident of the DHCP server, so my guess is something has changed on the network side.  In the Cisco world, DHCP relary is done with the "ip helper-address x.x.x.x" command.  Make sure those DHCP relays are being sent out, use Wireshark on a laptop to sniff traffic if necessary, or debug on the router or switch.  Make sure there's still a VLAN interface with an assigned address, that's how the DHCP server will know what pool to hand out an address from, and make sure the router has reachability to the DHCP servers.

I'll see if there's anything else I can think of....
LVL 21

Expert Comment

ID: 36573208
Make sure the servers don't think all of the addresses are leased and there are still some left in the pool. I would think there would be events to that effect on the servers if they were out of address though.

Check for an unauthorized DHCP server on that VLAN that may be causing a problem.

Author Comment

ID: 36573545
I guess what I didn't mention about the network architecture is that we have some VLANs with fewer than five PCs.

First off, I knew that the DHCP requests were being forwarded to the servers, because in the event log errors, it lists the servers' IP addresses. If the requests were timing out or not finding a server, that wouldn't have happened. But I did double-check to verify that the VLAN interface's ip helper-address config hadn't gotten changed somehow.

No PCs on that segment seem to be getting IPs. During my testing, to rule out topology issues, I took a new laptop, connected it to a port on the switch at my desk, set it to VLAN 31 (the vlan in question) and same problem. No IP, and event log errors every second. Changing the switchport to any other VLAN works fine.

The lease pools are not exhausted, that was one of the first things I checked.

I'm not certain that there's not a rogue DHCP server, but the last time I had an issue with that, it was just that clients would sometimes get a 192.168 address instead of a 10.1 address, which obviously wouldn't work. In that case, someone had connected a home router to the network, which I remotely disabled. (Thankfully, someone who would do that is also not savvy enough to change default passwords.)

I guess my next experiment will involve wireshark. I'm not real sure what I'm looking for though.
Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.


Author Comment

ID: 36574131
Ok, Wireshark.

Looks like the server gets a 348-DHCP Discover from and replies with a 348-DHCP Offer. But then it immediately gets another 348 from followed by another 344. Then come two back-to-back 373-DHCP requests from 31 and 35, respectively.

No idea where this 35 is coming from. And I never see an ACK or a NACK.

Author Comment

ID: 36574240
Ok, now I'm seeing another transaction, this one has NAK packets.

The following is from one transaction:

Source		Dest		Protocol	Length	Info
------------------------------------------------------------------------	DHCP		342	DHCP Discover	DHCP		344	DHCP Offer	DHCP		342	DHCP Discover	DHCP		344	DHCP Offer	DHCP		372	DHCP Request	DHCP		342	DHCP NAK	DHCP		372	DHCP Request	DHCP		342	DHCP NAK

Open in new window


Expert Comment

ID: 36574371
run wireshark on client. check the MAC addresses in log to verify that your PC and router on that VLAN are the only two devices exchanging DHCP messages.

Author Comment

ID: 36574604
No, the replies on the 31 and 35 VLANs are coming from different MACs. I'm trying to figure out what switches those are.

Author Comment

ID: 36574681
Oh... They correspond to the virtual interfaces on the main layer-3 switch, vlan31 and vlan35.

Accepted Solution

Dusan_Bajic earned 500 total points
ID: 36575038
Well you you have something incorrectly on L2 level, your PC shouldn't be able to see both of them in any case.

Author Comment

ID: 36575303
Yes, I realize that. Also, when running wireshark on the client while on vlan 35, I received a packet that was broadcast to vlan 31.

What would happen if someone connected a cable between a vlan31 port and a vlan 35 port. Could it cause behavior like this?

Expert Comment

ID: 36575420
Yes, it could.

Author Comment

ID: 36575880
Got it! That was it!

There was an old cable hanging from the ceiling near a network jack that was patched and set to vlan 35. I think the old cable ran back to an old switch on what is now vlan 31. Some joker plugged it in and has had me racking my brain for two days.

Thanks everyone for the help!

Author Closing Comment

ID: 36575894
Thanks! Got me pointed in the right direction!
LVL 44

Expert Comment

ID: 36577755
For future use, you might want to install the portable version of wireshark on a USB stick, then you can run it from any windows machine without having to install/uninstall it... just plug the stick in a USB port and use Start->Run... it takes slightly longer to start, but in my opinion it's still better than installing and uninstalling programs unnecessarily on windows machines (or worse yet, installing it and leaving it there for users to play with). The portable version only comes in 32-bit, but about the only thing I've noticed being slightly faster with the 64-bit version is changing view filters on capture files.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question