Solved: DHCP snooping error message

mahesh18 · ‎08-11-2012

Hi Everyone,

I have configured DHCP snooping on switch.

Switch act as DHCP server.

IT works fine no issues when i connect any PC ot laptop.

But on same PC when i use to connect to VPN it gives error in switch logs

Aug 11 09:09:29.135 MST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNO

OPING drop message because the chaddr doesn't match source mac, message type: DH

CPINFORM, chaddr: 0005.9a3c.7800, MAC sa: 100b.a9b0.5330 Aug 11 09:09:29.135 MST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNO
OPING drop message because the chaddr doesn't match source mac, message type: DH
CPINFORM, chaddr: 0005.9a3c.7800, MAC sa: 100b.a9b0.5330

sh ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- ----------

----------

10:0B:A9:B0:53:30 192.168.20.23 86160 dhcp-snooping 20 FastEther

net0/20

100b.a9b0.5330 LAPTOP MAc address

0005.9a3c.7800 Cisco VPN Adapter MAC address

So after this message connection laptop and vpn keeps on working fine.

I check snopping stats it shows 3 packets drop.

My question is that message says source mac address does not match and DHCP snooping will drop the packet and it increment the drop counter

by 3.But my LAPTOP is still getting IP from the DHCP.

Why my pc connection is not dropped?

Will it DROP my pc connection after DHCP lease is expired?

Thanks

MAhesh

Reza Sharifi · ‎08-12-2012

Hi Mahesh,

That is correct. The 192.168.20.23 address is for your wireless Ethernet adapter on your PC and the other one (10.x.x.x) is for VPN (virtual). Notice, it says:

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

As soon as you disconnect form your VPN, you will see 10.x.x.x disappear.

HTH

View solution in original post

Peter Paluch · ‎08-12-2012

Hi Mahesh,

As noted by Reza, yes, your NIC and the VPN adapter are indeed in different IP networks.

At this point, I am willing to blame Windows. They appear to simply send DHCP messages with inappropriately populated fields. As noted earlier, I have already seen Windows send ARP responses through inappropriate interfaces. I would not be surprised if this was a similar issue. Sadly, I have no idea what to try next. Perhaps you could try a different installation of Windows - simply a different notebook or PC, or a different version of Windows running in VirtualBox or similar - and see if the problem can be replicated. Or even try some Linux, say, Debian or Ubuntu plus vpnclient, and see if Linux wreaks the same havoc.

Sorry to bail out here but to me, this definitely feels like something rotten going on in those Windows.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎08-11-2012

Hello Mahesh,

What you are experiencing here is quite interesting.

First of all, the DHCP Snooping performs, among others, a check whether the chaddr field (Client Hardware ADDRess) inside the DHCP message contains the same value as the destination MAC address of the frame in which this DHCP message is encapsulated. If these two addresses do not match, DHCP Snooping drops such message.

It is actually interesting to see that your DHCP Snooping captured and subsequently dropped a message that internally contained a MAC address of your software VPN adapter but was sent from your physical Ethernet adapter. Note that it is impossible for DHCP Snooping to act on VPN-tunneled packets - they are already encrypted. It is therefore very curious to see an unencrypted DHCP packet being sent through your physical Ethernet adapter, carrying the MAC address of your VPN adapter in its chaddr field.

I would personally hypothesize that this is Windows misbehaving. A year or two ago, I have seen a thread here that discussed an odd issue with a PC that had two physical NICs connected to the same network. From time to time, Windows received an ARP Request on one NIC and sent the ARP Reply on the other NIC. What you are experiencing here reminds me of that thread. I believe that for whatever reason, your Windows are sending plain (i.e. unencrypted) DHCP requests from your Ethernet NIC but they insert the MAC address of your VPN software adapter into the chaddr field of these DHCP requests. I have no idea why they are doing this.

Do you have anything special configured on your Windows that could cause this "leaking" to happen, such as Internet Connection Sharing, interface bridging, anything? Also, is it possible that both your VPN adapter and the Ethernet interface are assigned an IP address from the same IP network? This could be the cause, as in the thread I've mentioned, this was also the case - both NICs in the same IP network. By the way, the dropped message was a DHCPINFORM message, i.e. a message trying to acquire some additional DHCP-discovered settings after the adapter is already assigned an IP address. This hints again at the possibility of the Ethernet NIC and the VPN adapter having the IP address from the same IP network.

Can you please check this?

Best regards,

Peter

mahesh18 · ‎08-12-2012

Hi Peter,

Thanks for reply.

My ethernet gets IP address from Local DHCP pool from 192.168.20.x

My VPN gets IP from Company Network that starts with 10.x.x.x

So this shows that they are getting IP from different networks right?

Here is IP config /all from PC

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : x.x.x.x

Primary Dns Suffix . . . . . . . : x.x.x.x

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : x.x.x.x

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205

Physical Address. . . . . . . . . : 10-0B-A9-B0-53-30

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.20.23

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . : 192.168.20.1

DNS Servers . . . . . . . . . . . : 64.x.x.x

Lease Obtained. . . . . . . . . . : Sunday, August 12, 2012 9:36:38 AM

Lease Expires . . . . . . . . . . : Monday, August 13, 2012 9:36:38 AM

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Con

nection

Physical Address. . . . . . . . . : D4-BE-D9-16-71-1B

Ethernet adapter Local Area Connection 5:

Connection-specific DNS Suffix . : x.x.com

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.x.x.x.x

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.x.x.x

DNS Servers . . . . . . . . . . . : 10..x.x.x

10..x.x.x

Thanks for the help

Regards

MAhesh

Reza Sharifi · ‎08-12-2012

Hi Mahesh,

That is correct. The 192.168.20.23 address is for your wireless Ethernet adapter on your PC and the other one (10.x.x.x) is for VPN (virtual). Notice, it says:

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

As soon as you disconnect form your VPN, you will see 10.x.x.x disappear.

HTH

mahesh18 · ‎08-12-2012

Hi Reza,

Thanks again for reply.

Regards

MAhesh

Peter Paluch · ‎08-12-2012

Hi Mahesh,

As noted by Reza, yes, your NIC and the VPN adapter are indeed in different IP networks.

At this point, I am willing to blame Windows. They appear to simply send DHCP messages with inappropriately populated fields. As noted earlier, I have already seen Windows send ARP responses through inappropriate interfaces. I would not be surprised if this was a similar issue. Sadly, I have no idea what to try next. Perhaps you could try a different installation of Windows - simply a different notebook or PC, or a different version of Windows running in VirtualBox or similar - and see if the problem can be replicated. Or even try some Linux, say, Debian or Ubuntu plus vpnclient, and see if Linux wreaks the same havoc.

Sorry to bail out here but to me, this definitely feels like something rotten going on in those Windows.

Best regards,

Peter

mahesh18 · ‎08-12-2012

HI Peter,

Many thanks for explaining me in detail and going that far on this discussion.

Its always great to read your detailed explanations in the forums

Best Regards

Mahesh

Peter Paluch · ‎08-12-2012

Mahesh,

I am deeply thankful for your kind words. It has been, and always will be, a pleasure assisting you.

Best regards,

Peter

Ahmed Samih · ‎07-13-2020

i'm facing the same problem and error in my organization with PCs that have VMs (Virtual Machines) on them, and I can't solve this problem to stop this error so can anyone help?