• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2606
  • Last Modified:

Sonicwall TZ100 alert

Hi,

I keep on getting this message but no idea where it comes from. My DHCP range is ok, no problems with that at all.

Time      ID      Category      Priority      Source      Destination      IP Protocol      Notes      Message
02/24/2014 15:16:00      1311      Network      Alert      68, X0      67                  DHCP Server: Resources of this pool ran out. Client Info: cid type : cid value : subnet are 1:0x24ab8164d52f:192.168.1.0

Please advise.
J.
0
janhoedt
Asked:
janhoedt
  • 9
  • 5
  • 4
  • +1
1 Solution
 
Mandeep KhalsaCommented:
What is the subnet for your DHCP range? What is the DHCP lease time? This error sounds like it  exhausted the total number of available IP addresses to give out. Please verify that the number of active clients do not exceed the number allowed via DHCP.
0
 
janhoedtAuthor Commented:
Only 16 ip s are handed out in 192.168 range. Where can I limit the allowed ip s? Didn t set that option.
0
 
Mandeep KhalsaCommented:
First you have to set the subnet mask properly. Based on the IP address you have on the network go to http://www.subnet-calculator.com/ and figure out the subnet mask you should go with to give enought IP addresses out. If subnet is ending in .240 then it will only give out 14 usable IP's one of which will go to your Sonicwall.

Once you have the correct scheme in place then go under Network - DHCP Server and make sure the settings are correct. You can increase or decrease the number of IP's given out on this page.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
janhoedtAuthor Commented:
My DHCP settings are correct:  scope is 192.168.1234-240. Though static assigments are on 192.168.1.-0 to 233.
0
 
Mandeep KhalsaCommented:
If your DHCP scope is 1.234 to 1.240, that is only 6 IP addresses you are giving to clients, meaning at any given time only 6 devices can be connected to your DHCP range. Is this what you want?

Apparently based on the error you are getting and the scope you have more devices asking for DHCP leases than you are giving out.
0
 
janhoedtAuthor Commented:
I want only 4 DHCP ip's to be used dynamically, the rest statically. Therefore I assign 192.168.1.234 to 240 dynamic ip pool, the rest static. That's my goal.
Nowhere I can see to limit the number of ip addresses.
0
 
masnrockCommented:
You're only allowing 6 addresses to be given out dynamically, but how many devices are attempting to get addresses that way? That;s what you need to review. If the answer to that is more than 6, there's your problem.

When you say static, do you mean as in specifc machines being assigned the same address everytime they connect OR do you mean the machines having static IP addresses and therefore not using DHCP at all?
0
 
janhoedtAuthor Commented:
I want only 4 DHCP ip's to be used dynamically, the rest statically. Statically via dhcp. F.e. Iphone, Ipad get ip via dhcp but static/predefined ip. Underneath .234 (so 192.168.1.0 to 234) no dynamic ip s should be distributed.  If I distribute 234 to 240 via dhcp and I assign ip s f.e. 192.168.1.77 to my Iphone, why the dhcp resource runs out? I have never defined or restricted only 6 ip s  via dhcp. I have defined 234 to 240 and some other static leases.
0
 
janhoedtAuthor Commented:
6 dhcp dynamically I meant.
0
 
janhoedtAuthor Commented:
I don t see how 234 to 240 would restrict me 6 ip leases. Yes, 6 dynamic ip s, but they are in no way related to the static leases I distribute.
0
 
Mandeep KhalsaCommented:
I don't understand the logic behind why you are doing things the way you are. The purpose of DHCP is to assign IP addesses so you don't have to keep track of who has which one. As people and their devices come and go, the IP's are automatically reassigned.

In an environment where servers and other important items like those are listed you either want to give those devices preference by assigning static IP's or create reservations.

In your case you are assuming that only 6 devices (maximum) on your network will be requesting DHCP at any given time.

Once those 6 devices connect, the next ones to try will not get an IP address. Also if your lease time is say 8 hours, those IP's that were previously assigned will not get reassigned until that time period has expired.

I have never seen an environment where DHCP is so restrictive but then again I am not in your shoes. So whatever your logic is behind it, the bottom line is 6 IP's will run out pretty fast and you will continue to get those messages.
0
 
janhoedtAuthor Commented:
It s my lab environment. There are no dhcp s unless visitors. 234 to 240 has full internet access , that was the idea.
0
 
skullnobrainsCommented:

I don t see how 234 to 240 would restrict me 6 ip leases. Yes, 6 dynamic ip s, but they are in no way related to the static leases I distribute.
 

this is probably true on the sonicwall but many dhcp servers will not differentiate between statis and dynamic range : you would define a range and setup static ips in that range which is the reason for the misunderstanding

---

now back to your problem : how long is your lease time ?
if the lease time is a week and you had 6 visitors on monday morning with a mobile phone or whatever device in their pockets, you blocked the 6 addresses for a week even if each of them only stayed for 10 seconds and they did not come at the same time.

it is possible that operations still run fine because the sonicwall might decide to reuse the addresses after a certain inactivity period regardless of the lease time. iin that case you'd end up with something that works although it is misconfigured, and with the above error messages

---

like @khalsa, i hardly understand the goal of such a restriction but if you actually want this, you need to setup the lease time to a VERY short period (1-5 mn tops)


---------

@kalsa

The purpose of DHCP is to assign IP addesses so you don't have to keep track of who has which one.

not quite. the main goals of dhcp are to centralise ip management and to allow for dynamic configuration of devices that are not always on the same network.

this does not mean that you would not want for example to apply specific ACLs or NAT rules to specific devices on the network segment you manage. the simplest way to do so is by assigning fixed addresses to them
0
 
janhoedtAuthor Commented:
Thanks. It s a home lab. There are no extra visitors besides my Iphone, Ipad. I assign predefined ip addresses to them via dhcp. My home lab servers are on fix ip/no dhcp. All devices have strict/limited Internet access. Ipad/iphone have http/https only, other devices predefined (like smtp). Dhcp addresses are only for vm s I create like appliances which need an initial ip to configure. I don t want them to have Internet access, so I set the dhcp scope 192.168.1.x to X as object in Sonicwall and grant no access. What s so not understandable about that? I don t get that. Sonicwall (yes, others like windows are different) ets you create a dynamic scope and a static scope only. I only want the dynamic scope to assign addresses which cannot access Internet, so there s my dynamic scope. Other ip s are predefined so static dhcp.
0
 
masnrockCommented:
Something is either misconfigured or there is missing info. Flush out the dhcp leases, and connect all of the machines that are not supposed to use dhcp. Do not connect anything else to the network. Check at that  point if your dhcp range is getting taken up.

How exactly did you set up your static assignments? It sounds like you might have done that wrong. Please provide a screenshot.
0
 
skullnobrainsCommented:
Dhcp addresses are only for vm s I create like appliances which need an initial ip to configure. I don t want them to have Internet access, so I set the dhcp scope 192.168.1.x to X as object in Sonicwall and grant no access. What s so not understandable about that? I don t get that.

nothing. what i don't understand is the point of creating such a tiny range (i'd assume you have ips to spare)

what i said above about visitors and lease durations is also true if you call them vms.

i'm assuming you are on a trusted wired network with no accidental external access

you are the one who used the term visitors "There are no dhcp s unless visitors. 234 to 240 has full internet access , that was the idea. "
i'd assume you meant "no internet access"

would you mind answering to the question we asked regarding the lease duration ?


Sonicwall (yes, others like windows are different) ets you create a dynamic scope and a static scope only. I only want the dynamic scope to assign addresses which cannot access Internet, so there s my dynamic scope. Other ip s are predefined so static dhcp.

no problem with that, i was just clarifying the misunderstanding you had with @masnrock.

for the record, i was not referring to windows ( and i'm most definitely NOT a windows user ) but rather to a whole bunch of dhcp servers including ISC's dhcpd. actually that mode of operation is pretty much the one suggested by the RFC

in isc you would usually create an acl that denies access to everybody and assign it to a range. as far as i know/guess sonicwall actually runs dhcpd on a hacked freebsd and does exactly that.
0
 
skullnobrainsCommented:
note that when you virtualise, some virtualisation software will use random mac addresses so each time you boot the machine, you eat up an address for the defined lease duration time
0
 
masnrockCommented:
skullnobrains did raise a good point with respect to VMs and how they handle MAC addresses.

BTW - When I was referred to DHCP in my last comment, I was referring to the dynamic assignments. I noticed you never mentioned whether the static addresses were indeed getting assigned correctly.
0
 
janhoedtAuthor Commented:
Static is ok, dyanmic is ok. There is no issue, only the errors I get from Sonicwall. Don't see where they are coming from.
0
 
skullnobrainsCommented:
to at your leases table and please answer : what is the lease duration time you configured for the dynamic pool ?
0
 
skullnobrainsCommented:
also, even if you don't get what the problem is : make that pool bigger and the message will disapear. it may even be possible that sonicwall complains about addresses when it has less than maybe 10 adresses.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 9
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now