Diagnosing and Fixing Excessive DHCPINFORM/DHCPACK Traffic in CentOS DHCP Server Logs


4 views

When examining the DHCP server logs on our CentOS 5 system, we noticed an unusual pattern of repeated DHCPINFORM and DHCPACK messages flooding the logs:

Oct 26 17:22:23 General dhcpd: DHCPINFORM from 10.1.1.140 via eth0
Oct 26 17:22:23 General dhcpd: DHCPACK to 10.1.1.140 (00:16:35:07:1e:2c) via eth0
Oct 26 17:22:27 General dhcpd: DHCPINFORM from 10.1.1.147 via eth0
Oct 26 17:22:27 General dhcpd: DHCPACK to 10.1.1.147 (00:19:bb:d3:bc:e8) via eth0

DHCPINFORM messages are typically sent by clients that already have an IP address but want to verify their configuration or obtain additional parameters. The excessive traffic suggests:

  • Windows CE devices aggressively checking their network configuration
  • Potential network configuration issues causing clients to repeatedly verify their settings
  • Possible DHCP relay agent misconfiguration

From the log samples, we can see traffic coming through multiple paths:

via eth0
via 10.1.1.254
via 10.1.1.2
via 10.1.2.1

This indicates the presence of multiple DHCP relay agents forwarding requests to our server.

Here's the optimized dhcpd.conf with key changes:

# Increased lease time to reduce renewal frequency
default-lease-time 86400;
max-lease-time 172800;
authoritative;
ddns-update-style none;

# Client class for Windows CE devices
class "win-ce-clients" {
    match if substring (option vendor-class-identifier, 0, 3) = "CE";
    # Adjust timers for CE devices
    option dhcp-rebinding-time 64800;
    option dhcp-renewal-time 32400;
}

option subnet-mask 255.255.255.0;
option domain-name-servers 10.1.1.3;
option domain-name "xxxinc.com";
option tftp-server-name "10.1.1.3";
option ntp-servers 17.151.16.21;

subnet 10.1.1.0 netmask 255.255.255.0 {
    range dynamic-bootp 10.1.1.120 10.1.1.211;
    option routers 10.1.1.1;
    # Apply to all clients in this subnet
    pool {
        allow members of "win-ce-clients";
        range 10.1.1.120 10.1.1.180;
    }
}

To prevent log flooding while maintaining visibility:

# Add to /etc/syslog.conf or equivalent
local7.* /var/log/dhcpd.log
local7.warning /var/log/messages
& ~

This configuration will:

  • Store all DHCP logs in a dedicated file
  • Only log warnings to the main messages file
  • Use log rotation to prevent excessive growth

For Cisco routers acting as DHCP relay agents, ensure proper configuration:

interface Vlan1
 ip helper-address 10.1.1.3
 no ip directed-broadcast
!
interface Vlan2
 ip helper-address 10.1.1.3
 no ip directed-broadcast

Key points:

  • Use a single helper-address per interface
  • Disable directed broadcasts to prevent duplicate requests
  • Verify client-facing interfaces don't have unnecessary helpers

For Windows CE devices, registry tweaks may help:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Comm\Tcpip\Parms]
"T1"=dword:00015180
"T2"=dword:0001a5e0
"DHCPReqTimeout"=dword:0000000a

These settings adjust:

  • T1 (renewal time) to 86400 seconds (1 day)
  • T2 (rebinding time) to 172800 seconds (2 days)
  • DHCP request timeout to 10 seconds

Use tcpdump to verify actual network traffic:

tcpdump -i eth0 -n port 67 or port 68 -vv

Key things to check:

  • Frequency of DHCPINFORM packets
  • Source of duplicate requests
  • Network paths being used

When managing a CentOS 5 DHCP server handling multiple subnets, particularly with Windows CE wireless devices, you might encounter an overwhelming flood of DHCPINFORM/DHCPACK messages like:

Oct 26 17:22:23 General dhcpd: DHCPINFORM from 10.1.1.140 via eth0
Oct 26 17:22:23 General dhcpd: DHCPACK to 10.1.1.140 (00:16:35:07:1e:2c) via eth0

The primary factors contributing to this behavior include:

  • Windows CE devices aggressively verifying network configuration
  • Potential network loops from multiple DHCP relay agents (ip helper-address)
  • Default lease time (28800s/8hrs) being too short for mobile devices

First, modify your /etc/dhcpd.conf to implement these improvements:

default-lease-time 86400; # Increase to 24h for mobile devices
max-lease-time 172800;   # 48h maximum
log-facility local7;     # Route DHCP logs to separate file

subnet 10.1.1.0 netmask 255.255.255.0 {
    option routers 10.1.1.1;
    option broadcast-address 10.1.1.255;
    option subnet-mask 255.255.255.0;
    range 10.1.1.120 10.1.1.211;
    # Additional stability parameters
    option dhcp-rebinding-time 75600;
    option dhcp-renewal-time 43200;
}

Verify your network topology for:

  1. Duplicate DHCP relay agents (ip helper-address)
  2. Broadcast domain segmentation
  3. Potential spanning-tree loops

Use tcpdump to analyze DHCP traffic patterns:

tcpdump -i eth0 -vvv -s 1500 'port 67 or port 68' -w dhcp-traffic.pcap

For Windows CE devices, consider registry modifications:

[HKEY_LOCAL_MACHINE\Comm\\Parms\TcpIp]
"DhcpQueryFrequency"=dword:00015180 ; 86400s (24h)
"DhcpRetryCount"=dword:00000003     ; Default is 5-10

Implement log rotation to prevent file bloat:

# /etc/logrotate.d/dhcpd
/var/log/dhcpd.log {
    daily
    missingok
    rotate 7
    compress
    postrotate
        /bin/kill -HUP cat /var/run/dhcpd.pid 2>/dev/null 2>/dev/null || true
    endscript
}