I've finally figured this out. Turns out Microsoft does not follow the rules. And be careful when buying some Firewall appliances.
From Cisco debug, a Linux workstation shuts down, boots up
Code:
Sep 15 19:51:30.845: DHCPD: DHCPRELEASE message received from client 0100.1320.1a82.1f (192.168.24.87).
Sep 15 19:51:30.845: DHCPD: returned 192.168.24.87 to address pool inside.
Sep 15 19:52:44.033: DHCPD: DHCPDISCOVER received from client 0100.1320.1a82.1f on interface FastEthernet2/15
Sep 15 19:52:46.037: DHCPD: assigned IP address 192.168.24.88 to client 0100.1320.1a82.1f.
Sep 15 19:52:46.037: DHCPD: Sending DHCPOFFER to client 0100.1320.1a82.1f (192.168.24.88).
Sep 15 19:52:46.041: DHCPD: creating ARP entry (192.168.24.88, 0013.201a.821f).
Sep 15 19:52:46.041: DHCPD: unicasting BOOTREPLY to client 0013.201a.821f (192.168.24.88).
Sep 15 19:52:46.061: DHCPD: DHCPREQUEST received from client 0100.1320.1a82.1f.
Sep 15 19:52:46.061: DHCPD: Sending DHCPACK to client 0100.1320.1a82.1f (192.168.24.88).
Sep 15 19:52:46.065: DHCPD: creating ARP entry (192.168.24.88, 0013.201a.821f).
Sep 15 19:52:46.065: DHCPD: unicasting BOOTREPLY to client 0013.201a.821f (192.168.24.88).
Now for a Windows Shut Down, Reboot. (Yes, I changed the clock.)
Code:
Sep 15 15:16:16.692: DHCPD: DHCPREQUEST received from client 0100.0d56.8468.23.
Sep 15 15:16:16.692: DHCPD: Sending DHCPACK to client 0100.0d56.8468.23 (192.168.24.99).
Sep 15 15:16:16.692: DHCPD: creating ARP entry (192.168.24.99, 000d.5684.6823).
Sep 15 15:16:16.696: DHCPD: unicasting BOOTREPLY to client 000d.5684.6823 (192.168.24.99).
Turns out Linux does it exactly by the standards. However Microsoft does not release the IP when it shuts down, and does not broadcast a DHCPDISCOVER packet when it boots up. Instead it sends a DHCPREQUEST using the previously assigned IP. And it turns out Cisco's implementation of DHCP intentionally assigns the IP address that has been available for the longest time, so it gets an incremental IP address.
The take-away from this issue is; When you buy a firewall appliance that has a per seat license, ask the vendor if the firewall tracks the license usage by actual concurrent connections, or by some kind of IP address database that has to be cleared as addresses change.
Thanks everyone
Catkin, you get the thumbs up because you got me thinking in a new direction! Thanks!