cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17294
Views
0
Helpful
8
Replies

DHCP snooping error message

mahesh18
Level 6
Level 6

                   Hi Everyone,

I have configured DHCP snooping on switch.

Switch act as DHCP server.

IT works fine no issues when i connect any PC  ot laptop.

But on same PC  when i use to connect to VPN  it gives error in switch logs

Aug 11 09:09:29.135 MST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNO

OPING drop message because the chaddr doesn't match source mac, message type: DH

CPINFORM, chaddr: 0005.9a3c.7800, MAC sa: 100b.a9b0.5330 Aug 11 09:09:29.135 MST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNO
OPING drop message because the chaddr doesn't match source mac, message type: DH
CPINFORM, chaddr: 0005.9a3c.7800, MAC sa: 100b.a9b0.5330

sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  ----------

----------

10:0B:A9:B0:53:30   192.168.20.23    86160       dhcp-snooping   20    FastEther

net0/20

100b.a9b0.5330  LAPTOP  MAc address

0005.9a3c.7800  Cisco VPN Adapter MAC address

So after this message connection laptop and vpn keeps on working fine.

I check snopping stats it shows 3 packets drop.

My question is that message says source mac address does not match and  DHCP snooping will drop the packet and it increment the drop counter

by 3.But my LAPTOP is still getting IP from the DHCP.

Why my pc connection is not dropped?

Will it DROP my pc connection after DHCP lease is expired?

Thanks

MAhesh

2 Accepted Solutions

Accepted Solutions

Hi Mahesh,

That is correct.  The 192.168.20.23 address is for your wireless Ethernet adapter on your PC and the other one (10.x.x.x) is for VPN (virtual).  Notice, it says:

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

As soon as you disconnect form your VPN, you will see 10.x.x.x disappear.

HTH

View solution in original post

Hi Mahesh,

As noted by Reza, yes, your NIC and the VPN adapter are indeed in different IP networks.

At this point, I am willing to blame Windows. They appear to simply send DHCP messages with inappropriately populated fields. As noted earlier, I have already seen Windows send ARP responses through inappropriate interfaces. I would not be surprised if this was a similar issue. Sadly, I have no idea what to try next. Perhaps you could try a different installation of Windows - simply a different notebook or PC, or a different version of Windows running in VirtualBox or similar - and see if the problem can be replicated. Or even try some Linux, say, Debian or Ubuntu plus vpnclient, and see if Linux wreaks the same havoc.

Sorry to bail out here but to me, this definitely feels like something rotten going on in those Windows.

Best regards,

Peter

View solution in original post

8 Replies 8

Peter Paluch
Cisco Employee
Cisco Employee

Hello Mahesh,

What you are experiencing here is quite interesting.

First of all, the DHCP Snooping performs, among others, a check whether the chaddr field (Client Hardware ADDRess) inside the DHCP message contains the same value as the destination MAC address of the frame in which this DHCP message is encapsulated. If these two addresses do not match, DHCP Snooping drops such message.

It is actually interesting to see that your DHCP Snooping captured and subsequently dropped a message that internally contained a MAC address of your software VPN adapter but was sent from your physical Ethernet adapter. Note that it is impossible for DHCP Snooping to act on VPN-tunneled packets - they are already encrypted. It is therefore very curious to see an unencrypted DHCP packet being sent through your physical Ethernet adapter, carrying the MAC address of your VPN adapter in its chaddr field.

I would personally hypothesize that this is Windows misbehaving. A year or two ago, I have seen a thread here that discussed an odd issue with a PC that had two physical NICs connected to the same network. From time to time, Windows received an ARP Request on one NIC and sent the ARP Reply on the other NIC. What you are experiencing here reminds me of that thread. I believe that for whatever reason, your Windows are sending plain (i.e. unencrypted) DHCP requests from your Ethernet NIC but they insert the MAC address of your VPN software adapter into the chaddr field of these DHCP requests. I have no idea why they are doing this.

Do you have anything special configured on your Windows that could cause this "leaking" to happen, such as Internet Connection Sharing, interface bridging, anything? Also, is it possible that both your VPN adapter and the Ethernet interface are assigned an IP address from the same IP network? This could be the cause, as in the thread I've mentioned, this was also the case - both NICs in the same IP network. By the way, the dropped message was a DHCPINFORM message, i.e. a message trying to acquire some additional DHCP-discovered settings after the adapter is already assigned an IP address. This hints again at the possibility of the Ethernet NIC and the VPN adapter having the IP address from the same IP network.

Can you please check this?

Best regards,

Peter

Hi Peter,

Thanks for reply.

My ethernet gets IP address from Local DHCP pool from 192.168.20.x

My VPN gets IP from Company Network that starts with 10.x.x.x

So this shows that they are getting IP from different networks right?

Here is IP config /all from PC

ipconfig /all

Windows IP Configuration

       Host Name . . . . . . . . . . . . : x.x.x.x

       Primary Dns Suffix . . . . . . . : x.x.x.x

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : x.x.x.x

Ethernet adapter Wireless Network Connection:

       Connection-specific DNS Suffix . :

       Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205

       Physical Address. . . . . . . . . : 10-0B-A9-B0-53-30

       Dhcp Enabled. . . . . . . . . . . : Yes

       Autoconfiguration Enabled . . . . : Yes

       IP Address. . . . . . . . . . . . : 192.168.20.23

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . :

       DHCP Server . . . . . . . . . . . : 192.168.20.1

       DNS Servers . . . . . . . . . . . : 64.x.x.x

       Lease Obtained. . . . . . . . . . : Sunday, August 12, 2012 9:36:38 AM

       Lease Expires . . . . . . . . . . : Monday, August 13, 2012 9:36:38 AM

Ethernet adapter Local Area Connection:

       Media State . . . . . . . . . . . : Media disconnected

       Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Con

nection

       Physical Address. . . . . . . . . : D4-BE-D9-16-71-1B

Ethernet adapter Local Area Connection 5:

       Connection-specific DNS Suffix . : x.x.com

       Description . . . . . . . . . . . : Cisco Systems VPN Adapter

       Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

       Dhcp Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 10.x.x.x.x

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 10.x.x.x

       DNS Servers . . . . . . . . . . . : 10..x.x.x

                                                             10..x.x.x

Thanks for the help

Regards

MAhesh

Hi Mahesh,

That is correct.  The 192.168.20.23 address is for your wireless Ethernet adapter on your PC and the other one (10.x.x.x) is for VPN (virtual).  Notice, it says:

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

As soon as you disconnect form your VPN, you will see 10.x.x.x disappear.

HTH

Hi Reza,

Thanks again for reply.

Regards

MAhesh

Hi Mahesh,

As noted by Reza, yes, your NIC and the VPN adapter are indeed in different IP networks.

At this point, I am willing to blame Windows. They appear to simply send DHCP messages with inappropriately populated fields. As noted earlier, I have already seen Windows send ARP responses through inappropriate interfaces. I would not be surprised if this was a similar issue. Sadly, I have no idea what to try next. Perhaps you could try a different installation of Windows - simply a different notebook or PC, or a different version of Windows running in VirtualBox or similar - and see if the problem can be replicated. Or even try some Linux, say, Debian or Ubuntu plus vpnclient, and see if Linux wreaks the same havoc.

Sorry to bail out here but to me, this definitely feels like something rotten going on in those Windows.

Best regards,

Peter

HI Peter,

Many thanks for explaining me in detail and  going that far on this discussion.

Its always great to read your detailed explanations in the forums

Best Regards

Mahesh

Mahesh,

I am deeply thankful for your kind words. It has been, and always will be, a pleasure assisting you.

Best regards,

Peter

Ahmed Samih
Level 1
Level 1
i'm facing the same problem and error in my organization with PCs that have VMs (Virtual Machines) on them, and I can't solve this problem to stop this error so can anyone help?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco