Event Viewer DHCP (event ID 1003) warnings etc.

BonzaiDuck

Lifer
Jun 30, 2004
16,013
1,654
126
There have been some areas of my networking "savvy" that remain spotty.

BACKGROUND AND HISTORY
I have for six years used two internet router-switch products. I've enabled them to provide DHCP IP address assignment on my household LAN. The NAT firewall was always enabled. I have -- and continue to use -- two or more licensed software firewall-AV combo products on each computer in the LAN. The LAN is configured as peer-to-peer -- so there is no domain-server per se.

The currently deployed router-switch is a Linksys BEFSR41 v.3 model. It basically only serves as an internet gateway and DHCP server. Obviously, its speed for peer-to-peer connections would only provide 100 mbs speeds, so the connections between household computers on the LAN is gigabit ethernet provided through some Netgear gigabit-ethernet switches. These switches are cascaded from a single LAN port on the Linksys router-switch.

On each LAN client -- remember it is peer-to-peer, I had the following setup:

Currently for this and other computers, the settings on the TCP/IP "Properties" "General" tab are: "Obtain IP address automatically" and "Obtain DNS server address automatically."

The "Advanced" "IP settings" tab shows "DHCP Enabled" with no specification of a Default Gateway, and the "Automatic Metric" checkbox is checked.

The DNS tabbed dialog shows no specification of DNS server address, but the "Append primary and connection specific DNS suffixes radio-button is enabled with "Append parent suffixes" checkbox checked.

"DNS suffix for this connection" textbox is blank, and "Register this connection's addresses in DNS" is checked.

"WINS addresses" in that WINS tabbed dialog is blank, "Enable LMHOSTS" is checked and NebBIOS setting shows the "Default" radio button enabled.

THE ANNOYANCES

Booting any given system, or especially my "favorite" machine, the "Application" and "System" event-logs are "all-in-the-blue." After a a period of time between 13 hours and a day, I will get DHCP (1003) warnings. Occasionally, I get the W32Time (ID 32) error of failing time-synchronization. There are occasional (ID 6004) invalid driver-packet error entries in the system log.

I tried following the implications of an XP Resource Kit manual suggestion that peer-to-peer configurations could turn off "register this computer in DNS" in the DNS tabbed dialog under TCP-IP Properties "Advanced". It seemed that this made the "invalid packet" messages occur quickly after reboot.

Of course, actual peer-to-peer access and internet access has never been a problem.

One more thing: QoS has now been enabled, with the 802.1p setting of my Yukon ethernet card enabled as "Yes."

I'd be interested in any helpful advice on this matter, while I continue "experimenting" as I pour over the XP Resource Kit electronic version chapters.

Thanks for your support -- BonzaiDuck
 

BonzaiDuck

Lifer
Jun 30, 2004
16,013
1,654
126
CLARIFICATION:

<<two or more licensed software firewall-AV combo products on each computer in the LAN. >>

What I mean here is that there are various fully licensed products used across the LAN, but only one firewall and AV software product on any given machine. [I've never been THAT stupid -- two use two on a single machine, folks!!] :D
 

BonzaiDuck

Lifer
Jun 30, 2004
16,013
1,654
126
ADDITIONAL CLARIFICATION:

More than half the machines on the LAN use Win XP Pro SP2 installations, although two machines -- one exclusively used as a file-server -- deploy Win 2000 Pro OS's with the latest service pack and windows upgrade patches.

These DHCP warnings were occurring before we began upgrading workstations to XP Pro, and they were occurring on the 2KPro systems, as I recall.
 

dphantom

Diamond Member
Jan 14, 2005
4,763
327
126
Actual error messages would be really helpful to properly t/s the problem but for a stab in the dark, HERE is what a quick Google search turned up based on your event id.
 

BonzaiDuck

Lifer
Jun 30, 2004
16,013
1,654
126
I'm going through an incomplete inventory of "annoyances." In the messages, I've replaced "computer name" with [name withheld], and put a bracketed message in for IP address assignment (although we all know that routers use a common range of subnet masks beginning with "192.168. . . . ." etc.). Where my peer-to-peer workgroup name is evident, I changed it to "PEERGRUPPE". I'm just being careful, and can't be sure how unrealistic my concerns may be:
* * * THIS MAY BE BENIGN, GIVEN THE MS KB INFO AND IMMEDIATE "HELP AND SUPPORT CENTER" INDICATIONS * * *
Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 36
Date: 11/19/2006
Time: 8:27:17 AM
User: N/A
Computer: [name withheld]
Description:
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
* * *
THIS ONE SEEMS TO BE CHRONIC:
* * *
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 11/21/2006
Time: 8:07:30 AM
User: N/A
Computer: [name withheld]
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address [address withheld]. The following error occurred:
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Data:
0000: 79 00 00 00 y...

* * *
THIS ONE SEEMS TO OCCUR AFTER A LONG STRING OF THE WARNINGS AS SHOWN JUST PREVIOUS :
* * *

Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1000
Date: 11/16/2006
Time: 5:17:43 PM
User: N/A
Computer: [name withheld]
Description:
Your computer has lost the lease to its IP address [within the subnets used by most router-switches with DHCP] on the Network Card with network address [address withheld].

* * *
THIS ONE OCCURS OCCASIONALLY -- SHOWING IN THE LOGS FROM A MONTH EARLIER BEFORE -- AND AFTER -- TODAY'S IMPLEMENTATION OF "802.1P 'ON'" FOR THE YUKON ETHERNET DEVICE
* * *

Event Type: Error
Event Source: EventLog
Event Category: None
Event ID: 6004
Date: 11/18/2006
Time: 9:57:15 AM
User: N/A
Computer: [name withheld]
Description:
A driver packet received from the I/O subsystem was invalid. The data is the packet.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0c 00 e0 00 0e 00 00 00 ..à.....
0008: 6c fc 37 fb 3a 0b c7 01 lü7û:.Ç.
0010: 40 00 00 00 00 00 00 00 @.......
0018: 00 00 00 00 04 00 4e 00 ......N.
0020: 00 00 00 00 cb 0b 00 80 ....Ë..?
0028: 00 00 00 00 10 00 00 c0 .......À
0030: 00 00 00 00 00 00 00 00 ........
0038: 00 00 00 00 00 00 00 00 ........
0040: 4d 00 52 00 78 00 53 00 M.R.x.S.
0048: 6d 00 62 00 00 00 5c 00 m.b...\.
0050: 44 00 65 00 76 00 69 00 D.e.v.i.
0058: 63 00 65 00 5c 00 4c 00 c.e.\.L.
0060: 61 00 6e 00 6d 00 61 00 a.n.m.a.
0068: 6e 00 52 00 65 00 64 00 n.R.e.d.
0070: 69 00 72 00 65 00 63 00 i.r.e.c.
0078: 74 00 6f 00 72 00 00 00 t.o.r...
0080: 57 00 4f 00 52 00 4b 00 P.E.E.R.
0088: 47 00 52 00 4f 00 55 00 G.R.U.
0090: 50 00 00 00 4e 00 65 00 P.P.E..N.e.
0098: 74 00 42 00 54 00 5f 00 t.B.T._.
00a0: 54 00 63 00 70 00 69 00 T.c.p.i.
00a8: 70 00 5f 00 7b 00 30 00 p._.{.0.
00b0: 46 00 43 00 39 00 31 00 F.C.9.1.
00b8: 31 00 38 00 43 00 2d 00 1.8.C.-.
00c0: 45 00 44 00 31 00 36 00 E.D.1.6.
00c8: 2d 00 34 00 43 00 43 00 -.4.C.C.
00d0: 33 00 2d 00 39 00 34 00 3.-.9.4.
00d8: 33 00 41 00 2d 00 00 00 3.A.-...
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Looks like you have some packet loss or driver problem. You should never see those DHCP messages unless multiple packets are lost/dropped, the DHCP server was too busy to process your request (possible), or something is blocking the DHCP traffic (firewall).

Make sure that all network devices are setup to auto negotate speed and duplex. Never force link speed or duplex unless you are certain you can force it on the other side of the link.

Eitherway, it looks like you have a very unhappy network and very well could have a ton of packet loss or a broadcast/packet storm. My first guess would be that you have a duplex mismatch. I wouldn't mess with 802.1p until you get this underlying problem resolved.
 

BonzaiDuck

Lifer
Jun 30, 2004
16,013
1,654
126
I've known also about the possibility that firewall software can befuddle things. I configure the firewall software to accept the subnet mask range for the LAN and DHCP server. I of course appreciate the reference to the Googled link.

Here's another warning message that has not occurred too frequently in recent weeks, although once it pops up once, I find a repetition of the same message before the machine is shutdown or rebooted:

Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3019
Date: 11/8/2006
Time: 4:33:46 PM
User: N/A
Computer: [name withheld]
Description:
The redirector failed to determine the connection type.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 04 00 4e 00 ......N.
0008: 00 00 00 00 cb 0b 00 80 ....Ë..?
0010: 00 00 00 00 10 00 00 c0 .......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
 

BonzaiDuck

Lifer
Jun 30, 2004
16,013
1,654
126
I'll check the duplex settings on the computers using the file-sharing peer-to-peer on a frequent basis. Also -- the auto-negotiate features. I'm going to turn off the 802.1p setting for the NIC.

these things were happening before I ever turned 802.1p "on."

The QoS feature is enabled in Network Connection's "Properties," along with "Windows client," "File and PRinter sharing," and of course, "TCP/IP."
 

BonzaiDuck

Lifer
Jun 30, 2004
16,013
1,654
126
I've known it for some time, but I have more "senior events" at my age and queried the MS Knowledge base again.

The MRxSMB 3019 message is described as "for informational purposes only," and occurs when accessing a mapped network drive for the first time. It apparently relates to the loopback adapter address not being able to respond to queries about speed and the fact that the loopback adapter doesn't negotiate speed.

The DHCP "lease time" is set to its maximum for all the computers. I'm rather sure that "autonegotiate" is on for all NICs in the system, and I'm going to check the duplex settings. I think it was always desired to get "full duplex" if possible.

On this particular machine from where I've logged the errors shown in previous posts, I'm using the Kaspersky firewall and AV. But these messages have appeared with CA E-Trust and SYmantec Norton INternet Security as well.

I have a tech-support e-mail request submitted to Linksys, knowing that they could easily say "contact the software firewall manufacturer" or "Microsoft." I think I casually tried cleaning up this problem about three or four years ago, and put in a tech-support request to Microsoft. They sent me a network analysis program [e-mail attachment], but the indications it gave were not definitive, and we were never able to clean it up. I remember their tech-rep saying "they could just be 'benign' messages." But that was before I replaced the earlier router with the Linksys BEFSR41, and you would think that the software providers might've ironed this one out by now. XP has been around since - when? -- 2002?
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
I actually have one client (20+ XP Pro SP2 PCs) that seems to constantly get this same message on ALL of the client PCs. The client is using SBS 2003, Standard Edition, as its DHCP, DNS, WINS Servers and as its Default Gateway. It's in a dual-NIC configuration.

The client PCs include a variety of PCs, mostly Compaq P4s, but some have custom motherboards. Their NICs include several chipsets.

The errors are all:
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 11/21/2006
Time: 8:07:30 AM
User: N/A
Computer: [name withheld]
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address [address withheld]. The following error occurred:
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.


These PCs do NOT seem to have any significant problem synching their time with the SBS Server.

I never paid a lot of attention to the error, since it only shows up on the client PCs and I didn't realize it was UNIVERSAL to their office. The Server's DHCP error logs show ZERO errors. But, last week, the client said that they were occasionally getting messages from Outlook 2003 stating that Outlook was unable to connect to the built-in Exchange Server in SBS 2003. That got me thinking of network connectivity problems.

The DHCP lease is for eight days. Four days after receiving a DHCP lease, the client PCs will start requesting a renewal of their DHCP lease. That's when they get their first "DHCP error" message. They will keep retrying over the next three days. Eventually, they all seem to get renewed.

Doing a "Repair Connection" from the XP Network Connection panel ALWAYS seems to work. So I have no idea why the automatic renewal is so troublesome.

I haven't had a chance to fully investigate, but I'm guessing it might be a problem with their switches (a pair of large Dell 10/100 switches), which are downstream of the SBS Server's internal NIC (where DHCP is bound).

These clients have a bare minimum of AntiVirus software and only the SP2 Firewall, which I have zero problems with at my other clients.

Sorry....I don't have a solution for you...but I'd love to hear if you find one. ;)
 

BonzaiDuck

Lifer
Jun 30, 2004
16,013
1,654
126
Thanks for the comment about your client and his business system. This is interesting.

I started poking around the client-workstation firewall software -- in this case, Kaspersky's "Anti-Hacker" in their Internet Security package. I had migrated from Symantec (on this machine) -- to CA E-Trust, and i have a hunch Kaspersky may be more robust. We'll see . . .

I went into the firewall configuration "settings" button, and there are checkboxes for different kinds of activity that are cleared through the firewall. Three remained unchecked:

TCP activity inbound and outbound to the loopback 127.0.0.1 address
UDP activity inbound and outbound to the loopback address
PPTP Control activity allow outbound TCP connection

What might be the security risks of enabling these things? The explanations about the DHCP and possibly some other events I've noted refer to some possible disconnect with the loopback connector, although there are other possible explanations for my "annoyances."

Also -- does anyone know of a good network management utility that would function well under peer-to-peer configurations?
 

BonzaiDuck

Lifer
Jun 30, 2004
16,013
1,654
126
UPDATE ON THE "BENIGN DHCP" and other event-viewer warnings and errors.

[I think I licked my "unhappy network"]

Here are some interesting web-pages I found in my search to cure my "unhappy network."

Article at Microsoft.com

Speedguide to router configuration">http://www.speedguide.net/read_articles.php?id=177</a>

I cannot precisely pin-down how I resolved my error messages, but I began by converting all file-sharing servers to fixed-IP addresses outside the DHCP (router) scope. I disabled "Simple File and Print Sharing" for machines sharing folders -- mapped as network drives -- and I enabled it for machines sharing printers.

I then started troubleshooting the event-viewer messages of all sorts. I also picked a repair and diagnostic tool -- System Mechanic -- and cleaned up the registries on all the networked machines. I upgraded Windows Messenger to v.5.1 -- which resolved a source=COM error that recurred.

What amazes me now is how every machine on the network seems to run so much faster. Some of this owes to SM discarding unnecessary startup programs that hog clock cycles. The system event-viewer log is now entirely "in the blue."

It is too bad that companies like IOLO and others seem engaged in competitive warfare with rivals like Symantec. They seem to want to sell you an entire suite, so their SM product doesn't recognize other i-net security and AV softwares. In the screens where this is reported, it is followed by a link called "Solutions" which opens a web-page sales-pitch for IOLO"s AV solution.

No company can win the prize for best cleanup and diagnostic tool, best firewall, and best antivirus. In those niches of the industry, software makers and vendors should wise up to the fact that customers don't want to be pawns.

The worst of my troubles was created in the process of solving the original problem-set. IOLO's System Analyzer service conflicted with Norton LiveUpdate for NIS 2006. It took a few iterations running a Norton cleanup tool, running LiveUpdate again, and making sure that registry "problems" that seemed to appear after the Liveupdate download-installs did not get subsequently "corrected" by running SM again.


Otherwise, I'd say SM v.6 and v.7 helped quite a bit. Quite a bit, indeed . . . .