none
Server 2008 Windows Firewall Dropping Packets when Firewall Profiles are Off RRS feed

  • Question

  • I have a number of Windows Server 2008 R2 machines which are refusing to allow certain traffic which should be allowed when the Windows Firewall is enabled.  These servers are a mixture of physical and virtual and are all connected to the domain.  The problem first manifested itself when it became apparent that these machines weren't communicating with my WSUS server but various other types of traffic also appear to be affected.

    Symptoms (there may be other comms errors I haven't picked up yet):

    • No communication with WSUS (error 0x80072efd when searching for updates) - settings for local WSUS server are correct in registry
    • Failure when I issue a remote systeminfo /S <servername> command (RPC Server is unavailable)
    • Group Policy application failures with event IDs 1054 and 1055 in system event logs

    These failure occur with the firewall service enabled in all of the following scenarios:

    1. All firewall profiles off
    2. All firewall profiles on with inbound and outbound traffic set to allow by default
    3. All firewall profiles on with all inbound and outbound rules enabled and set to allow
    4. All firewall profiles on with an explicit "allow all" rule setup to apply to all programs, services, ports and protocols

    When firewall profiles are on and logging is enabled the firewall log details the dropped packets.

    I have attempted a reset of the firewall (using the Restore Default Policy option) then opened everything up - same results. I have also ensured that the server on which I'm testing is completely up-to-date with relevant hotfixes.

    The firewall is obviously doing some things correctly however as if I disable the allow rule for RDC I can no longer use Remote Desktop, when reenabled Remote Desktop once again becomes available (behaviour as expected).

    If I disable the Windows Firewall service all of these issues are resolved but this is neither an allowable solution in my enterprise nor is it an MS supported configuration.

    I do have a few working 2008 servers although they are not in the same domain in AD. For example all failing servers are in <subdomain>.<domain>.com whereas working servers are simply in <domain>.com.

    I have been scratching my head over this for well over a week now with no joy and can find no similar problems elsewhere on the web, can anyone please help or suggest somewhere for further advice?

    Thanks in advance, John.

    Thursday, February 9, 2012 9:43 AM

Answers

  • Okay. This is very strange.

    I went back over the build for our 2008 servers as all but the DCs have a configuration script run post build and the only W2K8 server which was working was a DC. This config script runs various server hardening routines, software installations, log setups, etc.

    Turns out that one of the service hardening scripts was causing the problem but it's absolutely nothing to do with the firewall. Of all things the Windows Audio service registry changes caused the traffic failures. Once I took a clean, pre-script copy of Windows Audio service registry key, reapplied this to a failing server and rebooted all began working as I'd expect.

    Problem solved but I fail to see why changes to HKLM\System\ControlSet001\services\AudioSrv should have any effect on the firewall.

    Thanks for those who tried to help, maybe this will be of use to someone. Perhaps MS might explain why this behaviour occurred?

    • Marked as answer by JohnHip Thursday, February 16, 2012 2:13 PM
    Thursday, February 16, 2012 2:13 PM

All replies

  • Hi John,

    Thank you for your post.

    Please perform steps below to troubleshooting:
    1. Clean boot your server to test
    2. Check if set any IPSec settings or connection Security rules on your server.
    3. Move the server to new OU, in GPMC, set GPO Block inheritance on this OU

    Perform a clean startup to determine whether background programs are interfering with your game or program

    You cannot reset the IPsec authentication method to Default in Windows Firewall with Advanced Security on Windows 7 or on Windows Server 2008 R2

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    Friday, February 10, 2012 7:08 AM
    Moderator
  • Thanks for the reply Rick,

    1. Server has been rebooted (quite a few times now!). No joy.

    2. There are no, nor have there ever been any, IPSEC settings or connection security rules

    3. Test server has been moved to an OU to which no group policy applies (except the default domain policy). Still no joy.

    Any thoughts?

    Regards,

    John

    Friday, February 10, 2012 1:26 PM
  • Hi John,

    I have attempted a reset of the firewall (using the Restore Default Policy option)
    Use the command line "netsh advfirewall reset" to reset Windows firewall.

    For example all failing servers are in <subdomain>.<domain>.com whereas working servers are simply in <domain>.com.
    The failing server in same subdomain, please verify the default domain policy difference between two domains.

    Test server has been moved to an OU to which no group policy applies (except the default domain policy). Still no joy.
    Please block any policies include default domain policy, then run "gpupdate /force" to test. If necessary, test to use a temper server to join the domain or subdomain.

    Regards


    Rick Tan

    TechNet Community Support


    Monday, February 13, 2012 6:36 AM
    Moderator
  • Hi Rick,

    Use the command line "netsh advfirewall reset" to reset Windows firewall.  Have done this.

    I have now moved the server into a test OU which has GP inheritance blocked and a test policy setup with firewall and WSUS configuration the only policy configurations. This still fails.

    I also now have a domain controller in the same domain which has been built from scratch. This is the only 2008 server which isn't exhibiting these failures. I can however identify no obvious configuration differences between the two.

    Any further ideas?

    Regards,

    John.

    Tuesday, February 14, 2012 12:55 PM
  • Hi John,

    It is strange that the firewall is still filtering things when the profiles are set to off. How did you turn off the profile? Would you please use this command instead: "netsh advfirewall set allprofiles state off"

    Best Regards,

    Steven Xiao


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, February 15, 2012 10:07 AM
  • Okay. This is very strange.

    I went back over the build for our 2008 servers as all but the DCs have a configuration script run post build and the only W2K8 server which was working was a DC. This config script runs various server hardening routines, software installations, log setups, etc.

    Turns out that one of the service hardening scripts was causing the problem but it's absolutely nothing to do with the firewall. Of all things the Windows Audio service registry changes caused the traffic failures. Once I took a clean, pre-script copy of Windows Audio service registry key, reapplied this to a failing server and rebooted all began working as I'd expect.

    Problem solved but I fail to see why changes to HKLM\System\ControlSet001\services\AudioSrv should have any effect on the firewall.

    Thanks for those who tried to help, maybe this will be of use to someone. Perhaps MS might explain why this behaviour occurred?

    • Marked as answer by JohnHip Thursday, February 16, 2012 2:13 PM
    Thursday, February 16, 2012 2:13 PM