DHCP bad_address every 12 seconds - Scope exhausted

By pkrainman ·
We use Microsoft DHCP in our environment and this morning began to get flooded with bad_address leases. The server issued lease after lease every 12-13 seconds and they all showed bad_address in the name field of the lease table. The odd thing we noticed was that the Unique ID (MAC address) field was incomplete. Rather than 6 bytes of data, we were only seeing 4 bytes. Also noteworthy is that the last 2 bytes were the only constant:


A new unique ID was generated every 12-13 seconds. We deleted the bad_address(es) in bulk every 5 minutes to prevent scope exhaustion. Before we were able to get a sniffer connected, the pattern stopped.

I remember hearing something about Macs running IPv6 not playing well with Microsoft DHCP.

Does anyone else have any other ideas?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

event log?

by sgt_shultz In reply to DHCP bad_address every 12 ...

that is a weird one. anything in the event log on the dhcp server?

Collapse -

event log?

by sgt_shultz In reply to DHCP bad_address every 12 ...

there are a ton of articles about this at the mskb at I searched All Products using bad_address

Collapse -

event log?

by pkrainman In reply to event log?

The event log shows nothing more than the usual info of cleanup and warnings of scopes nearing exhaustion.

The mskb articles point to removing the client from the network. The problem is, with an incomplete MAC address, we don't know which client is the one. The problem is gone (for now) so the only thing I see to do now is sit in waiting with a sniffer and refresh my scope statistics every 15 minutes or so. When I see the problem present again, start a capture on all traffic to and from the DHCP server. From the capture, we should be able to find the 12-13 second pattern.

Any other thoughts?

Collapse -

Having same problem

by cec In reply to DHCP bad_address every 12 ...

Did you discover what was causing DHCP bad_address every 12 seconds - Scope exhausted? For some reason we started experiencing the same issue this morning. My Mac OSX 10.4.11 clients are getting a message that the address DHCP is issuing to them is already in use. The entry in DHCP shows bad address and an incomplete Unique ID which is not consistent. The conflicting MAC address is the same no matter what the IP address is. Even when manually configuring the address. I know it is the Mac's (and all of them), the problem starts as soon as we put them on the network and renew the dhcp address.

Collapse -

Anything new on this?

by bart.donders In reply to DHCP bad_address every 12 ...


We are encountering the same problems... Is there already a way to find the resolution to this?

Collapse -

Macs running IPv6 ..More info here...

Collapse -

My 2c

by gpott In reply to Macs running IPv6 ..More ...

Hello all,

We have just experienced this problem for the second time. Everything as reported in previous posts but our experience is that when the scope is full we start to get ip address conflicts everywhere, even reserved server addresses. Truly a scary moment.

Having experienced it a few days ago I was ready this time with wireshark and identified the machine and promptly pulled it for investigation.

I'm not entirely sure what's going on yet but the terms IPV6 and multihomed DHCP client can be mentioned.

The computer is a Vista Premium laptop with bridged LAN and wireless. IPV6 is installed. If the device is connected to the LAN via the wired port and the wireless is switched off, no problem. If the wireless is subsequently switched on, straight away I see Bad_address entries in DHCP as decribed previously.

Hope this helps someone.

Collapse -

How did you track the computer

by jnykjaer In reply to My 2c


I work in a company where we are seeing a lot of these "BAD_ADDRESS" entries in our DHCP log. I also think that it is caused by computers with bridged network adapters. I have done some tests myself to confirm this. I found out the the MAC adress on the brided adapter started with 02:, and tracking this on our core switches reveal a computer with briding enabled. I have not seen any entries untill today, and i cannot find any MAC starting with 02: - oh well, maybe this is not the pattern.

This is why i am very curious to how you tracked them down with Wireshark - what did you look for in the wireshark log? I am a bit of a novice to WireShark - maybe you could help me a little on the way.

Any help would be great appriciated.

P.S. I think we are going to disabled the Bridging feature via a GPO, but untill then, i would very much like to find the guilty pc.

Collapse -

unique ID is inverted ip address

by poulin In reply to DHCP bad_address every 12 ...

We've had the same problem. Those unique IDs are not truncated MAC addresses, they're inverted IP addresses in hex.

e.g. f121670a -> f1 21 67 0a (hex) -> 241 33 103 10 (decimal) -> (ip address).

You probably have a 10.103 subnet which is why the last 2 bytes in each ID is the same.

As for what causes this, we still don't know yet.

Collapse -

Apple Airport configuration is messing with your DHCP

by RavenTheJust In reply to DHCP bad_address every 12 ...

Ancient thread but let me quickly tell you what solved the problem for me..
I had a very similar problem - DHCP working finde, suddenly clients cannot get an IP adress anymore.. Looking into the DHCP log shows an unknown MAC with the IP is trying to get this IP verified virtually every second - which overloads the DHCP.
Solution: Block the corresponding MAC Adresses (I did it via MAC filtering/deny access/ on my WLAN AP). Poof - there you go. Worked instantly.
The problem is likely an iPhone/iPad which has a strange configuration received by the Apple Airport.
Reason: The Airport will give it's IP Adresses in the - Typical Mac behaviour though - shutting down a whole Windows Network by trying to get it's own IP configuration veryfied..

Related Discussions

Related Forums