IPSec causes dropped shares?
-
Wednesday, October 26, 2011 12:04 AM
We have two 2008 R2 file servers and (mostly) XP clients. Random clients sporatically drop mapped connections to 2 file servers, and access to the server is not resstored with log off/log on, but requires a client reboot.
This produces a Security log entry on both the client and server. Below is an example from the server.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/12/2011 11:37:56 PM
Event ID: 4654
Task Category: IPsec Quick Mode
Level: Information
Keywords: Audit Failure
User: N/A
Computer: FS1.housing.berkeley.edu
Description:
An IPsec quick mode negotiation failed.
Local Endpoint:
Network Address: 169.229.70.221
Network Address mask: 0.0.0.0
Port: 0
Tunnel Endpoint: -
Remote Endpoint:
Network Address: 169.229.66.65
Address Mask: 0.0.0.0
Port: 0
Tunnel Endpoint: -
Private Address: 0.0.0.0
Additional Information:
Protocol: 6
Keying Module Name: IKEv1
Virtual Interface Tunnel ID: 0
Traffic Selector ID: 0
Mode: Transport
Role: Responder
Quick Mode Filter ID: 70928
Main Mode SA ID: 380657
Failure Information:
State: Sent first (SA) payload
Message ID: 1833354141
Failure Point: Local computer
Failure Reason: Cannot create a file when that file already exists.
I haven't been able to find any mention of this online. Any ideas?
Thanks!
Bob Muzzy SA IT, UC Berkeley- Changed Type Tiger LiModerator Tuesday, November 01, 2011 7:56 AM
All Replies
-
Thursday, October 27, 2011 5:49 AMModerator
Hi Bob,
Thanks for posting here.
Have ever set any IPsec policy or filter on either side ? if yes, how and what did we set ? any idea
What was the error prompt when connection been dropped? Can we still reach these servers by using other methods and protocols like ping IP addresses form clients? And will other hosts also been affected ?
I’d suggest first to patch the latest service pack and hotfixes for both server and XP clients.
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Wednesday, November 02, 2011 12:39 AM
We set a policy the Windows firewall on each server (vs via GPO) to request inbound & outbound IPSec, using kerberos then our domain certs.
The only error popups are from the whatever application, e.g.; Thunderbird, had a connection to that server.
I *believe* the server that drops can still be pinged. I've asked a desktop guy to verify this.
We've only seen this on the 2 2008 R2 file servers here.
All servers and clients are patched monthly.
thanks.
Bob
Bob Muzzy SA IT, UC Berkeley -
Tuesday, March 06, 2012 8:24 PMWe have this exact same issue, did you ever find a resolution?
-
Thursday, March 08, 2012 8:05 PM
No, we opened a ticket with MS support and they sent us a tool to capture data related to IPSec. I sent them some logs but haven't heard back from them yet. I need to re-contact them...
Bob Muzzy SA IT, UC Berkeley
-
Wednesday, March 14, 2012 4:13 PM
I have found that if I restart the IPSec service or do a gpupdate /force it resolves the problem for a while so we don't have to reboot all the time. This is only an issue with Windows XP for us as our Windows 7 machines don't have the problem. If you do find a solution, I'd love to hear it. We are just dealing with it for the time being because we have Windows 7 upgrades coming in the near future and it is only affecting a small group of people (haven't found the common denominator yet).
-
Thursday, May 23, 2013 4:22 PMSuperJosh1 & blmuzzy - any further information on this? I just ran into the same behavior.
.png)
