bad ip address - possible DHCP/DNS?
I will preface by saying I am new to Wireshark, so what I'm seeing is a bit overwhelming which is why I'm here :) I've picked up on a few tips regarding filtering to narrow down the data as much as possible, but to be honest I'm still not quite sure what I am looking at regarding this issue and I apologize as I'm sure it's obvious.
The issue: since I've started here about two years ago, randomly (it seems, may happen twice a day or once a month) a client will not be able to connect to the Internet or any network resources, although ipconfig shows an address within the proper scope, as well as correct mask/gateway and DNS servers. I've been reserving the affected IP address in DHCP with a bogus MAC address and then release/renew on the affected computer so the computer will pick up a new address, at which point it's on its merry way. I've then tested with deleting the reservation and had another computer pick up the address and no issues, so the issue never seems to be consistent with a given IP address. Also I've noticed the MAC address is registering when I check the machine on the DHCP/DNS server and that is as much as I've confirmed. I've come across a few posts via Google but no pertinent solutions.
I'll link to the pcap file if anyone is available for assistance, I will be happy to answer any questions or obtain more information. Also if I eventually figure it out I'll be sure to post an update.
https://www.cloudshark.org/captures/37721f76e2bf
Client address: 10.29.0.38
DNS & DHCP servers: 192.168.10.28 / 192.168.11.28
In case this helps narrow it down further, I did a release/renew (either on this pcap or while monitoring another one) and noticed only DHCP Inform packets but never saw the actual DORA process. Googling on DHCP Inform packets it seems like this happens when a client needs to request additional info from the server, but again everything I'm seeing looks correct. When the issue occurs I also check for duplicate IPs but never find any, and I've also checked DHCP stats and we usually hover around 40% available addresses.
You description of the problem at the clients "will not be able to connect to the Internet or any network resources" is a bit vague, can you clarify that? In particular (I'm assuming Windows clients, and Win 10 at that for the PowerShell commands):
- Can the client resolve names, e.g. what does the PowerShell command Resolve-DnsName give? As a fall back you can use the legacy nslookup but IMHO that doesn't do the same thing as applications.
- If the client can't resolve names, can you see the DNS queries go out? Chase this up if this is the case.
- If the client can resolve names, are they correct?
- If the client can resolve names, can it connect to any of them? Use Test-Connection or ping to an external and internal address that's known to respond to ping.
- If the ping succeeds, try using the normal ...
(more)My apologies. Windows clients, mix of 7 and 10 and has happened on both. When this issue occurs, they are not able to access any websites or ping, tracert, etc., inside or outside the network, only able to ping loopback so that rules out local configuration I believe. I feel like I've ran nslookup and it gave the correct info, but can't remember 100%. I will make a note to run that command next the the issue occurs though and I will provide the output.
I've just realised that I missed the title of the question, what do you mean by "bad IP address"?
That's just my interpretation of the issue given my lack of knowledge at this point. Since a given client is effectively isolated from the LAN/WAN when this issue is occurring, I just call it a bad IP address and point the finger at either DHCP or DNS since I don't really know what I'm seeing. I apologize for any confusion though.