Back to All Scenarios
PASSEDserver / dhcp_scope_exhaustion
DHCP Scope Exhaustion — New Devices Can't Get IPs
The DHCP scope for the main user VLAN is 99% exhausted. New devices connecting to the network fail to obtain IP addresses. Users reporting 169.254.x.x APIPA addresses. Scope was sized for 200 but 210 devices now on the VLAN due to BYOD growth.
Pattern
DHCP_EXHAUSTION
Severity
CRITICAL
Confidence
92%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | DHCP_EXHAUSTION | DHCP_EXHAUSTION | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 25 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
Windows DHCP server. Scope 10.10.20.0/24 with 200 leases (10.10.20.10 - 10.10.20.210). 198 active leases. 8-hour lease duration. 15 new devices waiting for IPs. No DHCP relay to backup server.
Injected Error Messages (2)
DHCP scope exhaustion on 10.10.20.0/24 — Windows Event ID 1020: DHCP scope is 99% full, 198/200 addresses leased, DHCPDISCOVER packets receiving DHCPNAK, new clients assigned 169.254.x.x APIPA, scope utilization critical
Wireless clients failing DHCP — 15 devices on Building-B APs receiving APIPA addresses 169.254.x.x, DHCP server not responding to DISCOVER requests, users reporting no internet connectivity after Wi-Fi connect
Neural Engine Root Cause Analysis
The DHCP server on DC-01 has exhausted its IP address pool for the 10.10.20.0/24 network segment, with 198 out of 200 available addresses currently leased. This is causing new clients to receive DHCPNAK responses and fall back to APIPA addressing (169.254.x.x), effectively preventing new devices from obtaining valid network configuration. The 12 correlated incidents likely represent the cascading effect of clients losing network connectivity as they attempt to renew or obtain IP addresses.
Remediation Plan
1. Immediately analyze current DHCP lease table to identify expired or stale leases that can be reclaimed 2. Force release of any expired leases older than lease duration 3. Identify devices with abnormally long lease times or duplicate reservations 4. If insufficient addresses remain available, temporarily extend the DHCP scope by expanding the subnet range or reducing lease duration 5. Monitor scope utilization and implement alerting at 80% threshold to prevent future exhaustion 6. Consider implementing DHCP scope splitting across multiple servers for redundancy
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjhung01mwobqee9cbx1fa