Re: IPSEC not working
From: David Beder [MSFT] (dbeder_at_online.microsoft.com)
Date: 05/08/05
- Previous message: Michael: "Re: howto set MD4 NT Hash in AD?"
- In reply to: Ludwig Zammit: "Re: IPSEC not working"
- Next in thread: Ludwig Zammit: "Re: IPSEC not working"
- Reply: Ludwig Zammit: "Re: IPSEC not working"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 8 May 2005 01:05:56 -0700
Server and Client policies aren't complely compatible when it comes to ICMP.
If for any reason the client sends non-ICMP traffic to the server, the
server will intiate ipsec with the client. the client will accept this
requirement and will attempt to accept and transmit ALL traffic to the
server with ipsec. At this point the icmp traffic will be sent to the server
over ipsec and the server will not accept it because icmp is required to
come in the clear. On the flip side the clear icmp traffic sent from the
server to the client will be dropped by the client because all traffic from
the server must be ipsec protected.
since ipsecmon says you have an active ipsec connection the failure point
would seem to be at the app level, quite possibly in the arena of icmp (eg
some applications assume that if ping doesn't work, connectivity does not
exist, so fail). Try adding a new rule to your client policy which permits
ICMP.
-- David Microsoft Windows Networking This posting is provided "AS IS" with no warranties, and confers no rights. "Ludwig Zammit" <LudwigZammit@discussions.microsoft.com> wrote in message news:61683B3E-0C90-41CA-B97A-DE013DAF57AD@microsoft.com... > First of all thanks for your reply! > > I can confirm that nothing has changed. If I disable IPSec Policies I can > ping the server without any problems. > > What I cannot explain is that when the policies are enabled, ipsecmon > tells > me that the connection is being secured by "ESP Triple DES HMAC SHA1" but > still I am receiving a "request timed out" when pinging the server from a > client which has " client(respond only)" enabled. > > The Server(Request Security) policy is configured to permit "All ICMP > Traffic" > > Regards > Ludwig > > "Stephen Cartwright [MSFT]" wrote: > >> Sounds like you have a basic connectivity issue with you server. IKE is >> timing out and ping is failing. You said all was working until yesterday >> and >> nothing has changed on your polices [or become invalid?]. >> Stop policyagent on the server and one client and establish that the >> server >> is ping contactable before lauching on IPsec/AD/DNS troubleshooting as it >> does not appear to be an IPsec issue on first reading. >> >> -- >> Stephen Cartwright [MSFT] >> >> "This posting is provided "AS IS" with no warranties, and confers no >> rights." >> >> "Ludwig Zammit" <Ludwig Zammit@discussions.microsoft.com> wrote in >> message >> news:1FD7D43B-0DB6-46B6-BEB2-D764510B62E4@microsoft.com... >> >I have set up one of my servers with the Server(Request Security) IPSEC >> > policy. Any clients and servers (memebrs of the same domain)which had >> > the >> > client(respond Only) policy activated used to communicate succesfully >> > with >> > this server and any communication was shown correctly in ipsecmon. >> > >> > However as of yesterday I started having problems with clients >> > communicating >> > with this server. I have enabled Object Access Auditing on the server >> > and >> > am >> > receiving event ID 547 in my security event log: >> > >> > The failure reason is either "IKE SA deleted before establishment >> > completed" >> > or "No response from peer". The failure point is always "Me" >> > >> > If i try to ping the server from any machine which has the >> > client(respond >> > only) policy enable I get a "Request Timed Out". The Server(Request >> > Security) >> > policy has not been modified and hence all ICMP traffic should be >> > permitted. >> > >> > I am still receiving sucessful event ids (541,542 and 543) along with >> > these >> > error messages. I am not sure if this is a normal behaviour or not. >> > >> > Any help is appreciated. >> >> >>
- Previous message: Michael: "Re: howto set MD4 NT Hash in AD?"
- In reply to: Ludwig Zammit: "Re: IPSEC not working"
- Next in thread: Ludwig Zammit: "Re: IPSEC not working"
- Reply: Ludwig Zammit: "Re: IPSEC not working"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
