Why is windows DHCP server offering reserved IPs and then NAKing its own OFFERs ?

Hi,

I have a question regarding how windows DHCP server offers IP addresses to dhcp clients.

What we sometimes observe is that DHCP server OFFERs IP address for which inactive reservation already exists and is registered on DHCP server - and when the client REQUESTs that address DHCP server sends a NAK. Upon further DHCPDISCOVER messages from the same client, DHCP server offers the next IP address (which is also reserved), e.g.: first 10.76.170.82 is offered which is reserved, then 10.76.170.83 is offered and so on until first 'free' IP address exists. 

So basicaly, DHCP server is offering reserved IP addresses and then NAKs its own offers.This seems a little bit strange - I would expect DHCP server to see the address is reserved and not offer it to clients with different MAC address.

My question is this: what could cause DHCP server to behave this way -- is it expected behaviour for windows DHCP server to offer IP addresses for which reservation exists or is this behaviour caused by some misconfiguration of DHCP server on our part ?

Setup info

DHCP server:
- windows server 2012 r2 standard 64 bit 
  (2 dhcp servers in failover hot-standby mode, only one dhcp server is serving requests)
- DHCP Version: 6.3

Client:

- linux machine running centos 7 dhclient.x86_64 12:4.2.5-42.el7.centos.

Relay agent:

- activated on CISCO ASA firewall.

The complete packet exchange is provided bellow.

Should you require any additional info that might help I'll be glad to provide it.

Thank you for your help!
Mario


Recorded DHCP package exchange

Here's the relevant info about server, client and relay agent:
- DHCP server IP: 10.76.155.251
- DHCP client mac: ae:f5:00:00:00:1a
- Relay IP: 10.76.170.1

Here's the packet exchange we observe on the wire:

1. DHCPDISCOVER sent by the client:
===================================
- Frame 33: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Ethernet II, Src: Cisco_99:ae:14 (f4:cf:e2:99:ae:14), Dst: Microsof_af:e7:12 (00:15:5d:af:e7:12)
Internet Protocol Version 4, Src: 10.76.170.1 (10.76.170.1), Dst: 10.76.155.251 (10.76.155.251)
User Datagram Protocol, Src Port: 67 (67), Dst Port: 67 (67)
Bootstrap Protocol (Discover)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 1
    Transaction ID: 0xc07e6f09
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
    Client IP address: 0.0.0.0 (0.0.0.0)
    Your (client) IP address: 0.0.0.0 (0.0.0.0)
    Next server IP address: 0.0.0.0 (0.0.0.0)
    Relay agent IP address: 10.76.170.1 (10.76.170.1)
    Client MAC address: ae:f5:00:00:00:1a (ae:f5:00:00:00:1a)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Discover)
        Length: 1
        DHCP: Discover (1)
    Option: (50) Requested IP Address
        Length: 4
        Requested IP Address: 192.168.10.106 (192.168.10.106)
    Option: (12) Host Name
        Length: 14
        Host Name: myclienthost
    Option: (55) Parameter Request List
        Length: 13
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (28) Broadcast Address
        Parameter Request List Item: (2) Time Offset
        Parameter Request List Item: (121) Classless Static Route
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (12) Host Name
        Parameter Request List Item: (40) Network Information Service Domain
        Parameter Request List Item: (41) Network Information Service Servers
        Parameter Request List Item: (42) Network Time Protocol Servers
        Parameter Request List Item: (26) Interface MTU
        Parameter Request List Item: (119) Domain Search
        Parameter Request List Item: (3) Router
    Option: (255) End
        Option End: 255
    Padding: 00000000000000000000000000000000000000

2. DHCPOFFER sent by the server (server offers 10.76.170.82 for which reservation exists on server - VM using this IP does not use DHCP, it has statically assigned IP) :
=========================================================================================
Frame 34: 348 bytes on wire (2784 bits), 348 bytes captured (2784 bits) on interface 0
Ethernet II, Src: Microsof_af:e7:12 (00:15:5d:af:e7:12), Dst: Cisco_99:ae:14 (f4:cf:e2:99:ae:14)
Internet Protocol Version 4, Src: 10.76.155.251 (10.76.155.251), Dst: 10.76.170.1 (10.76.170.1)
User Datagram Protocol, Src Port: 67 (67), Dst Port: 67 (67)
Bootstrap Protocol (Offer)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0xc07e6f09
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
    Client IP address: 0.0.0.0 (0.0.0.0)
    Your (client) IP address: 10.76.170.82 (10.76.170.82)
    Next server IP address: 10.76.155.251 (10.76.155.251)
    Relay agent IP address: 10.76.170.1 (10.76.170.1)
    Client MAC address: ae:f5:00:00:00:1a (ae:f5:00:00:00:1a)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Offer)
        Length: 1
        DHCP: Offer (2)
    Option: (1) Subnet Mask
        Length: 4
        Subnet Mask: 255.255.255.0 (255.255.255.0)
    Option: (58) Renewal Time Value
        Length: 4
        Renewal Time Value: (1800s) 30 minutes
    Option: (59) Rebinding Time Value
        Length: 4
        Rebinding Time Value: (3150s) 52 minutes, 30 seconds
    Option: (51) IP Address Lease Time
        Length: 4
        IP Address Lease Time: (3600s) 1 hour
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.76.155.251 (10.76.155.251)
    Option: (15) Domain Name
        Length: 14
        Domain Name: vuksinec.local
    Option: (6) Domain Name Server
        Length: 8
        Domain Name Server: 10.76.150.100 (10.76.150.100)
        Domain Name Server: 10.76.150.101 (10.76.150.101)
    Option: (3) Router
        Length: 4
        Router: 10.76.170.1 (10.76.170.1)
    Option: (255) End
        Option End: 255

3. DHCPREQUEST sent by the client to confirm offered IP address
======================================================================
Frame 35: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Ethernet II, Src: Cisco_99:ae:14 (f4:cf:e2:99:ae:14), Dst: Microsof_af:e7:12 (00:15:5d:af:e7:12)
Internet Protocol Version 4, Src: 10.76.170.1 (10.76.170.1), Dst: 10.76.155.251 (10.76.155.251)
User Datagram Protocol, Src Port: 67 (67), Dst Port: 67 (67)
Bootstrap Protocol (Request)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 1
    Transaction ID: 0xc07e6f09
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
    Client IP address: 0.0.0.0 (0.0.0.0)
    Your (client) IP address: 0.0.0.0 (0.0.0.0)
    Next server IP address: 0.0.0.0 (0.0.0.0)
    Relay agent IP address: 10.76.170.1 (10.76.170.1)
    Client MAC address: ae:f5:00:00:00:1a (ae:f5:00:00:00:1a)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Request)
        Length: 1
        DHCP: Request (3)
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.76.155.251 (10.76.155.251)
    Option: (50) Requested IP Address
        Length: 4
        Requested IP Address: 10.76.170.82 (10.76.170.82)
    Option: (12) Host Name
        Length: 14
        Host Name: myclienthost
    Option: (55) Parameter Request List
        Length: 13
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (28) Broadcast Address
        Parameter Request List Item: (2) Time Offset
        Parameter Request List Item: (121) Classless Static Route
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (12) Host Name
        Parameter Request List Item: (40) Network Information Service Domain
        Parameter Request List Item: (41) Network Information Service Servers
        Parameter Request List Item: (42) Network Time Protocol Servers
        Parameter Request List Item: (26) Interface MTU
        Parameter Request List Item: (119) Domain Search
        Parameter Request List Item: (3) Router
    Option: (255) End
        Option End: 255
    Padding: 00000000000000000000000000

4. DHCPNAK sent by DHCP server to client
=========================================

Frame 36: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Ethernet II, Src: Microsof_af:e7:12 (00:15:5d:af:e7:12), Dst: Cisco_99:ae:14 (f4:cf:e2:99:ae:14)
Internet Protocol Version 4, Src: 10.76.155.251 (10.76.155.251), Dst: 10.76.170.1 (10.76.170.1)
User Datagram Protocol, Src Port: 67 (67), Dst Port: 67 (67)
Bootstrap Protocol (NAK)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0xc07e6f09
    Seconds elapsed: 0
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
    Client IP address: 0.0.0.0 (0.0.0.0)
    Your (client) IP address: 0.0.0.0 (0.0.0.0)
    Next server IP address: 0.0.0.0 (0.0.0.0)
    Relay agent IP address: 10.76.170.1 (10.76.170.1)
    Client MAC address: ae:f5:00:00:00:1a (ae:f5:00:00:00:1a)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (NAK)
        Length: 1
        DHCP: NAK (6)
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 10.76.155.251 (10.76.155.251)
    Option: (255) End
        Option End: 255
    Padding: 000000000000000000000000000000000000000000000000...