During the Discover->Offer->Request->Acknowledge cycle, we give the end-user's device a five-minute lease. Halfway through the lease a well-behaved DHCP client will request that the lease be extended and we send an acknowledgement back, saying "sure thing, keep the lease for another five minutes."
If the acknowledgement is dropped by security software (perhaps because the acknowledgement came from a different port on our server than the original lease), the DHCP client assumes its lease has expired after five minutes (even though we extended it) and it starts the process all over again. For a moment the end-user doesn't have an IP address and all manner of confusion and delay follows. All in the name of stopping a phantom third party from issuing a DHCP acknowledgment.
I could have sworn we made changes on our end years ago to prevent this, though.