Re: IPSEC not working

From: Ludwig Zammit (LudwigZammit_at_discussions.microsoft.com)
Date: 05/09/05 

Date: Mon, 9 May 2005 07:04:06 -0700

Thanks for your reply.

I have added Permit ALL ICMP Traffic on client as well but to no avail.

"David Beder [MSFT]" wrote:

> Server and Client policies aren't complely compatible when it comes to ICMP.
> If for any reason the client sends non-ICMP traffic to the server, the
> server will intiate ipsec with the client. the client will accept this
> requirement and will attempt to accept and transmit ALL traffic to the
> server with ipsec. At this point the icmp traffic will be sent to the server
> over ipsec and the server will not accept it because icmp is required to
> come in the clear. On the flip side the clear icmp traffic sent from the
> server to the client will be dropped by the client because all traffic from
> the server must be ipsec protected.
>
> since ipsecmon says you have an active ipsec connection the failure point
> would seem to be at the app level, quite possibly in the arena of icmp (eg
> some applications assume that if ping doesn't work, connectivity does not
> exist, so fail). Try adding a new rule to your client policy which permits
> ICMP.
>
> --
> David
> Microsoft Windows Networking
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Ludwig Zammit" <LudwigZammit@discussions.microsoft.com> wrote in message
> news:61683B3E-0C90-41CA-B97A-DE013DAF57AD@microsoft.com...
> > First of all thanks for your reply!
> >
> > I can confirm that nothing has changed. If I disable IPSec Policies I can
> > ping the server without any problems.
> >
> > What I cannot explain is that when the policies are enabled, ipsecmon
> > tells
> > me that the connection is being secured by "ESP Triple DES HMAC SHA1" but
> > still I am receiving a "request timed out" when pinging the server from a
> > client which has " client(respond only)" enabled.
> >
> > The Server(Request Security) policy is configured to permit "All ICMP
> > Traffic"
> >
> > Regards
> > Ludwig
> >
> > "Stephen Cartwright [MSFT]" wrote:
> >
> >> Sounds like you have a basic connectivity issue with you server. IKE is
> >> timing out and ping is failing. You said all was working until yesterday
> >> and
> >> nothing has changed on your polices [or become invalid?].
> >> Stop policyagent on the server and one client and establish that the
> >> server
> >> is ping contactable before lauching on IPsec/AD/DNS troubleshooting as it
> >> does not appear to be an IPsec issue on first reading.
> >>
> >> --
> >> Stephen Cartwright [MSFT]
> >>
> >> "This posting is provided "AS IS" with no warranties, and confers no
> >> rights."
> >>
> >> "Ludwig Zammit" <Ludwig Zammit@discussions.microsoft.com> wrote in
> >> message
> >> news:1FD7D43B-0DB6-46B6-BEB2-D764510B62E4@microsoft.com...
> >> >I have set up one of my servers with the Server(Request Security) IPSEC
> >> > policy. Any clients and servers (memebrs of the same domain)which had
> >> > the
> >> > client(respond Only) policy activated used to communicate succesfully
> >> > with
> >> > this server and any communication was shown correctly in ipsecmon.
> >> >
> >> > However as of yesterday I started having problems with clients
> >> > communicating
> >> > with this server. I have enabled Object Access Auditing on the server
> >> > and
> >> > am
> >> > receiving event ID 547 in my security event log:
> >> >
> >> > The failure reason is either "IKE SA deleted before establishment
> >> > completed"
> >> > or "No response from peer". The failure point is always "Me"
> >> >
> >> > If i try to ping the server from any machine which has the
> >> > client(respond
> >> > only) policy enable I get a "Request Timed Out". The Server(Request
> >> > Security)
> >> > policy has not been modified and hence all ICMP traffic should be
> >> > permitted.
> >> >
> >> > I am still receiving sucessful event ids (541,542 and 543) along with
> >> > these
> >> > error messages. I am not sure if this is a normal behaviour or not.
> >> >
> >> > Any help is appreciated.
> >>
> >>
> >>
>
>
>

Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
    (comp.object)
  • RE: Fax monitor incoming + outgoing calls?
    ... problem between the client computer and the SBS server. ... Client is using the internal IP address of the SBS server as the ... To the folder redirection GPO issue: ...
    (microsoft.public.windows.server.sbs)