Machines get IP address but no connectivity - DNS issue?
Hi team
I hope you can help me with a problem that's beginning to cause me more and more pain over recent days.
We have an office with a subnet of 10.36.0.0 /16.
What's been happening recently is when a laptop joins the network (either LAN connected or WiFi), the devices gets the correct IP assigned through DHCP, but has no network/Internet connection. I'm unable to ping the host from the Data Centre, nor can I see it in the local ARP table. Although it shows up on the DHCP server.
This sounds DNS related but I can't quite put my finger on it.
Would someone be kind enough to look through the Wireshark capture at the following link and tell me if something stands out there please? The IP address of the machine in this case was 10.36.129.3.
Wireshark capture: https://www.dropbox.com/s/l3wv9yxynce...
Many thanks for your assistance.
How was the capture made? Have you tried capturing on the ethernet interface?
Interface Dropped packets Capture filter Link type Packet size limit \Device\NPF_Loopback 0 (0 %) none NULL/Loopback 262144 bytes
Yes, that capture was created on the ethernet interface.
Can you verify with
Statistics -> Capture File Properties
The capture "Lan not connected" shows Encapsulation and Interface as Loopback.
A capture showing the full DHCP conversation would be nice.
Nope, frame.interface_name says "\Device\NPF_Loopback", and encapsulation is "NULL/Loopback".
But it does provide some interesting information though. Apply this display filter: ip.dst=10.30.0.0/16
You see NBNS packets to the network broadcast address, that is the network part of the IP address completed with all ones. This works out to be 10.36.131.255. That's not right according to your statement that it's supposed to be a /16. So there's something wrong with the address and net mask assignment to this device. DNS does not even come into play in this scenario.
Since DHCP traffic flows over broadcast messages it is normal that clients get the IP addresses from DHCP Server.
Do have chance to check the connectivity step by step.
Connection to the gateway,
Connection to the proxy, if exists.
You may check routing issues?
You may check DHCP configuration to be sure about what IP configuration is sent tothe client.
you may try pinging 8.8.8.8 (google dns) if your firewall allows.
Do you have local firewalls?
What do the outputs of the tracert or pathping like tools.
Do you have access intranet sites?
Did you have chance to check the connectivity to the port 53 of the DNS server?
Kind regards Gökalp
https://www.dropbox.com/s/l4p58reod8x...
In expert information, I see LLMNR warnings. Is this something I should be concerned about?
Thank you Gökalp
There is no connectivity at all. Cannot ping anything, met with request timed out. The traceroute fails at the first hop. Local DNS server is unreachable. The strange thing is this is only affecting random users in the office.
I've checked the core switch (which acts as the gateway) and DHCP forwarders are set up correctly. The laptops/PCs with these issues do not even appear in the ARP table of the switch.
Any further advice would be very much appreciated.
Jaap, thank you for your suggestions. I will look into this.
" it shows up on the DHCP server."
Have you tried making a capture at the server end to how this office traffic differs from the other offices?
What IP address do you expect to get/have?
In the first trace I can only spot IPv4 and IPv6 link local addresses (169... and FE80:...) And some additional Broadcasts or learning packets.
The second trace shows more or less the same. Of course we see some more 172.21.2.201 packets, but there are only packets with this 172.21.2.201 address as SRC address.
And in both traces I can't spot any DHCP traffic. maybe you won't receive DHCP correctly.
Maybe you take a trace while you apply ipconfig /release and ipconfig /renew, if you are allowed to do.
Thanks Christian. Based on the traceroute in my original post, it seems as though the LAN IP (10.36.0.0 /16) isn't even being recognised on the capture. So although the machine is getting an IP address from DHCP, the Wireshark capture isn't reading the ethernet adaptor. The fact it's happening on at least 20 machines, suggests it's not an issue with the PC/laptop. The ethernet cable has been connected both via dock and directly into the laptop.
I will run the two commands you suggest and report back here once done.