none
Event ID 4653 - IPsec Main Mode negotiation failed

    Question

  • Hello

    How do I go about correcting this error...   I have alot event ID 4653 on my W2K8 DC's.  
    We are in the process of moving all DC's to W2K8, currently we still have some W2K3 DC in the domain.

    Thanks


    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          26/07/2009 9:20:23 AM
    Event ID:      4653
    Task Category: IPsec Main Mode
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      <machinename>.<FQDN>
    Description:
    An IPsec Main Mode negotiation failed.

    Local Endpoint:
     Local Principal Name: -
     Network Address: 
     Keying Module Port: 500

    Remote Endpoint:
     Principal Name:  -
     Network Address: 
     Keying Module Port: 500

    Additional Information:
     Keying Module Name: IKE
     Authentication Method: Unknown authentication
     Role:   Responder
     Impersonation State: Not enabled
     Main Mode Filter ID: 0

    Failure Information:
     Failure Point:  Local computer
     Failure Reason:  No policy configured

     State:   No state
     Initiator Cookie:  7cb650c6edbf4a03
     Responder Cookie: 149182f2a96a1944
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
        <EventID>4653</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12547</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2009-07-26T13:20:23.210Z" />
        <EventRecordID>90067942</EventRecordID>
        <Correlation />
        <Execution ProcessID="584" ThreadID="4748" />
        <Channel>Security</Channel>
        <Computer><machinename>.<FQDN></Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="LocalMMPrincipalName">-</Data>
        <Data Name="RemoteMMPrincipalName">-</Data>
        <Data Name="LocalAddress">
        </Data>
        <Data Name="LocalKeyModPort">500</Data>
        <Data Name="RemoteAddress">
        </Data>
        <Data Name="RemoteKeyModPort">500</Data>
        <Data Name="KeyModName">%%8222</Data>
        <Data Name="FailurePoint">%%8199</Data>
        <Data Name="FailureReason">No policy configured
    </Data>
        <Data Name="MMAuthMethod">%%8194</Data>
        <Data Name="State">%%8201</Data>
        <Data Name="Role">%%8206</Data>
        <Data Name="MMImpersonationState">%%8217</Data>
        <Data Name="MMFilterID">0</Data>
        <Data Name="InitiatorCookie">7cb650c6edbf4a03</Data>
        <Data Name="ResponderCookie">149182f2a96a1944</Data>
      </EventData>
    </Event>

    Sunday, July 26, 2009 2:15 PM

Answers

  • Hi,

    This error may be caused by incorrect settings. Please help to collect the following information for research.

    1.    Does this error occur on any other server?
    2.    On the DC, run GPMC.msc, right-click Group Policy Result and choose  Group Policy Result Wizard, follow the wizard to collect a copy of the result, save the report and use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.

    Please also disable Firewall on Windows Server 2008 or allow the following protocols, ports to test:

    • TCP port 50 for IPSec Encapsulating Security Protocol (ESP) traffic
    • TCP port 51 for IPSec Authentication Header (AH) traffic
    • UDP port 500 for Internet Key Exchange (IKE) negotiation traffic

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, July 27, 2009 8:59 AM
    Moderator

All replies

  • Hello,

    some more info about your IPSec configuration and setup can be really helpful. Or is nothing configued with IPSec? Is SP2 installed on the 2008 servers?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, July 26, 2009 8:29 PM
  • Nothing has been configured with IPSec.   At this point in time I don't have any need for IPSec that I'm aware of.

    Yes the servers are up todate with service packs and windows updates.    
    The installation DVD for W2K8 x64 had SP2 slipstreamed into it, the ISO was downloaded from the Microsoft licensing site.

    Sunday, July 26, 2009 11:13 PM
  • Hi,

    This error may be caused by incorrect settings. Please help to collect the following information for research.

    1.    Does this error occur on any other server?
    2.    On the DC, run GPMC.msc, right-click Group Policy Result and choose  Group Policy Result Wizard, follow the wizard to collect a copy of the result, save the report and use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.

    Please also disable Firewall on Windows Server 2008 or allow the following protocols, ports to test:

    • TCP port 50 for IPSec Encapsulating Security Protocol (ESP) traffic
    • TCP port 51 for IPSec Authentication Header (AH) traffic
    • UDP port 500 for Internet Key Exchange (IKE) negotiation traffic

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, July 27, 2009 8:59 AM
    Moderator
  • http://cid-f7af309a1cf92b30.skydrive.live.com/self.aspx/.Public/GPM%20BW-ADC002.htm


    Here are the results.
    I have the firewall set to allow everything in and out at this point. 
    I also added the TCP ports you listed.
    Monday, July 27, 2009 1:29 PM