[c-nsp] Windows Vista, Gratuitous ARP and DHCP conflicts

Brian Desmond brian at briandesmond.com
Thu May 31 00:07:10 EDT 2007 

How about a vbscript that the customer can d/l and run that will just iterate every interface and set the reg hack?

Thanks,
Brian Desmond
brian at briandesmond.com

c - 312.731.3132


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Kurt Bales
> Sent: Wednesday, May 30, 2007 10:45 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Windows Vista, Gratuitous ARP and DHCP conflicts
>
> Hello All,
>
> Just a follow up to this post. I got into work this morning and found
> this
> problem occuring in overdrive!
>
> Picture this:
>
> 1. Telnet to Router
> 2. "show ip dhcp conflict" shows 100 odd grat arp conflicts
> 3. "clear ip dhcp conflict *"
> 4. Sleep 30 seconds
> 5. "show ip dhcp conflict" shows 20 odd grat arp conflicts
> 6. WTF?
> 7. Make coffee
> 8. WTF?
>
> I've had a good morning so far. So given that I would rather solve the
> problem as opposed to just schedule a clear arp/clear conflict process
> to
> run repeatedly, and that I now had a case where it was happening "right
> now!", I decided to take some packet captures on the L2 segment and
> some
> debug from the affected IOS DHCP server.
>
> With "debug arp" and "debug ip dhcp server events" enabled, my
> debugging
> (Damn me for not saving it), showed that the OFFER was being made to
> the
> client, and immediately following it was an debug of arp for that
> offered
> address with "martian source", followed by "Offer declined" due to
> conflict.
> I was able to match this to the to the arp table entries and the
> conflict
> entries - each was added at the time of the "martian source" error
> matching
> the MAC of the client requesting the DHCP lease. In this way the
> affected
> client managed to steal my entire pool in a matter of minutes.
>
> I traced the MAC of the offender and shutdown the eth interface.
> Cleared my
> arps and conflicts.
>
> YAY! WORLD IS HAPPY!
>
> Then about 20 mins later, another host starts doing the same thing
> again.
>
> WTF!!!!
>
> So eventually, my google-fu lead me to
> http://support.microsoft.com/kb/928233. Now, at this point Id like to
> thank
> our dear friends at Microsoft for not making it a simple tickbox that
> our
> Helldesk Lackeys could walk somebody through. In fact, I cant even make
> a
> .reg, because the Key is based on the GUID of the interface, therefore
> varies depending on the PC and interface. Once again... Thankyou
> Microsoft.
>
> I have one of my more trusted lackeys attempting to talk a customer
> through
> changing that value on their interface, but no results yet.
>
> Fingers crossed!
>
> Kurt
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kurt Bales
> Sent: Monday, 26 February 2007 16:17
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Windows Vista, Gratuitous ARP and DHCP conflicts
>
> Hey Guys,
>
> Has anyone else noticed an increase in "Gratuitous ARP" entries under
> "sh ip
> dhcp conflict" lately?
>
> We serve Customer addresses (for better or worse!) via DHCP in some
> network
> designs. The DHCP server is running on the local Cisco Device in the
> area
> (usually an 1811). Lately we have noticed a large number of "conflicts"
> listed with "Gratuitous ARP" as the reason. 9 times out of 10 has shown
> the
> offending machine to be a Windows Vista install.
>
> Does anyone know why this is happening, or a way we can combat against
> it?
> We are moving our network away from DHCP addressing for customers, but
> this
> is a slow process. Is there a method to alert when the number of
> conflicts
> reaches a threshold?
>
> Regards,
>
> Kurt Bales
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list