Oscar
asked on
How and why A device has a dynamic IP within the DHCP Scope but it is not listed under Lease Addreses?
Environment:
It is a small office with a windows 2012 R2 standard that is configured as a Domain Controller, DHCP, DNS and file and print server.
The DHCP scope is 192.168.168.2 to 192.168.168.100.
All workstations and other devices including DVR and VPN clients get their IP from DHCP dynamically or there is a reservation for them such as DVR, therefore I can see all devices under Address Leases in DHCP Console.
An annoying device seems to have dynamic IP and it is in a range of the DHCP scope (192.168.168.11) , however the DHCP does not show it under Address Leases.
The Arp command indicates that the IP is dynamic. The Advance IP Scanner under find it but cell under NetBIOS group, User and Date are blank The only cell is the Manufacturer and MAC address. I looked around and I don’t see any device that be manufactured by NetGear and the more confusing is that when at the server I run Arp command it indicates that the IP type is Dynamic. so I must assume there is another DHCP server in the network such as router/firewall but I use SonicWall and the DHCP services is disabled.
Can anyone help please ?
Advance-IPScanner-Result.docx
It is a small office with a windows 2012 R2 standard that is configured as a Domain Controller, DHCP, DNS and file and print server.
The DHCP scope is 192.168.168.2 to 192.168.168.100.
All workstations and other devices including DVR and VPN clients get their IP from DHCP dynamically or there is a reservation for them such as DVR, therefore I can see all devices under Address Leases in DHCP Console.
An annoying device seems to have dynamic IP and it is in a range of the DHCP scope (192.168.168.11) , however the DHCP does not show it under Address Leases.
The Arp command indicates that the IP is dynamic. The Advance IP Scanner under find it but cell under NetBIOS group, User and Date are blank The only cell is the Manufacturer and MAC address. I looked around and I don’t see any device that be manufactured by NetGear and the more confusing is that when at the server I run Arp command it indicates that the IP type is Dynamic. so I must assume there is another DHCP server in the network such as router/firewall but I use SonicWall and the DHCP services is disabled.
Can anyone help please ?
Advance-IPScanner-Result.docx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
IPConfig /All shows you the DHCP server, is this your MS server?
ASKER
Thank you all, I try to respond to you the best that help us all.
Alan:
It is a 'phantom' device and I like to find it.
Harrison Fletcher:
You are right. I was confused about arp command, I thought when it is dynamic it meant dynamically assigned IP. I will look in to using WireShark. browsing the IP, http:\\192.168.168.11 failed, I even used with port 8000, 8080 too.
Dirk Kotte:
I did not have any netgear device and my router is Sonicwall. I look in the arp entery of sonicwall and IP 11 is not listed there either.
Qlemo:
I now agree with you when you said "The derived manufacturer from MAC address can be confusing, as it is the network chip manufacturer, and hence only gives indirect info about the device"
I do not have any BAD-Address in my DHCP.
Therefore, I am not sure how much wireshark tool will help (never used it) me but I am going to do site visit again to see if I can find any device that is physically connected to network, will update you after I find anything to share and use wireshark, meanwhile if you can think of something else please advise. You all agree that I should not ignore this even though I don't see any harm at this time. right?
Alan:
It is a 'phantom' device and I like to find it.
Harrison Fletcher:
You are right. I was confused about arp command, I thought when it is dynamic it meant dynamically assigned IP. I will look in to using WireShark. browsing the IP, http:\\192.168.168.11 failed, I even used with port 8000, 8080 too.
Dirk Kotte:
I did not have any netgear device and my router is Sonicwall. I look in the arp entery of sonicwall and IP 11 is not listed there either.
Qlemo:
I now agree with you when you said "The derived manufacturer from MAC address can be confusing, as it is the network chip manufacturer, and hence only gives indirect info about the device"
I do not have any BAD-Address in my DHCP.
Therefore, I am not sure how much wireshark tool will help (never used it) me but I am going to do site visit again to see if I can find any device that is physically connected to network, will update you after I find anything to share and use wireshark, meanwhile if you can think of something else please advise. You all agree that I should not ignore this even though I don't see any harm at this time. right?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello All,
Last night I went to this office to replace UPS; I shut down the server including all workstations and devices including switch, firewall. After I turned on the server and workstations the IP 192.168.168.11 was disappeared from arp entry and unresponsive to ping command.
This morning, I ping that IP and run arp command from server console the result was the same and there is no trace of that IP any more.
To answer your question about WIFI, there is a WIFI(Sonicwall TZ300) which use different scope (172.x.x.x).
At this time, the issue has been resolved itself (which is not good thing). I will monitor the site for a while to see if it happens again. At this time I am going to close my question since there is nothing to trouble shoot.
Thank you for all your assistance and contribution on this question...
Last night I went to this office to replace UPS; I shut down the server including all workstations and devices including switch, firewall. After I turned on the server and workstations the IP 192.168.168.11 was disappeared from arp entry and unresponsive to ping command.
This morning, I ping that IP and run arp command from server console the result was the same and there is no trace of that IP any more.
To answer your question about WIFI, there is a WIFI(Sonicwall TZ300) which use different scope (172.x.x.x).
At this time, the issue has been resolved itself (which is not good thing). I will monitor the site for a while to see if it happens again. At this time I am going to close my question since there is nothing to trouble shoot.
Thank you for all your assistance and contribution on this question...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lots of options provided.
If you run an IPConfig /All from the device, what does it output?
Or, is this a 'phantom' device that you want to work out what physical machine / device it is?
Alan.