locked
IPsec Main Mode error in DC event log RRS feed

  • Question

  • Hello

    Just implemented UAG with U2 and TMG SP1. I have issues with iIPv4 connectivity to the internal resources. Every time when i try to connect internal IPv4 address thru UAG DA following error appears in DC event log:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4.10.2010 15:52:40
    Event ID:      4653
    Task Category: IPsec Main Mode
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      dc1.corp.contoso.com
    Description:
    An IPsec main mode negotiation failed.

    Local Endpoint:
     Local Principal Name: -
     Network Address: 2002:d4d5:d53b:8000:0:5efe:10.10.10.14
     Keying Module Port: 500

    Remote Endpoint:
     Principal Name:  -
     Network Address: 2002:d4d5:d53b::d4d5:d53b
     Keying Module Port: 500

    Additional Information:
     Keying Module Name: AuthIP
     Authentication Method: Unknown authentication
     Role:   Responder
     Impersonation State: Not enabled
     Main Mode Filter ID: 0

    Failure Information:
     Failure Point:  Local computer
     Failure Reason:  No policy configured

     State:   No state
     Initiator Cookie:  edc1af3527e3883a
     Responder Cookie: 916ace749c6feb97
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4653</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12547</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2010-10-04T12:52:40.098029800Z" />
        <EventRecordID>14156431</EventRecordID>
        <Correlation />
        <Execution ProcessID="496" ThreadID="2348" />
        <Channel>Security</Channel>
        <Computer>dc1.corp.contoso.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="LocalMMPrincipalName">-</Data>
        <Data Name="RemoteMMPrincipalName">-</Data>
        <Data Name="LocalAddress">2002:d4d5:d53b:8000:0:5efe:10.10.10.14</Data>
        <Data Name="LocalKeyModPort">500</Data>
        <Data Name="RemoteAddress">2002:d4d5:d53b::d4d5:d53b</Data>
        <Data Name="RemoteKeyModPort">500</Data>
        <Data Name="KeyModName">%%8223</Data>
        <Data Name="FailurePoint">%%8199</Data>
        <Data Name="FailureReason">No policy configured
    </Data>
        <Data Name="MMAuthMethod">%%8194</Data>
        <Data Name="State">%%8201</Data>
        <Data Name="Role">%%8206</Data>
        <Data Name="MMImpersonationState">%%8217</Data>
        <Data Name="MMFilterID">0</Data>
        <Data Name="InitiatorCookie">edc1af3527e3883a</Data>
        <Data Name="ResponderCookie">916ace749c6feb97</Data>
      </EventData>
    </Event>

    Monday, October 4, 2010 1:02 PM

Answers

  • Are you trying to connect to the DA clients from the DC?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Monday, October 25, 2010 9:36 PM
    Thursday, October 7, 2010 4:03 PM

All replies

  • Hi Jark,

    Did you restart the UAG server after installing the updates?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, October 4, 2010 1:26 PM
  • UAG box restarted several times. I also tried to reapply DA policies from UAG. Internal resources with IPv6 (ISATAP) works thru DA but IPv4 resources not. Our DC is also DNS and firewall is on.

    I have already read these posts:
    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/6c2b72a1-bda2-47fc-8f78-8d79dc1ce2ca
    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/622e5230-4cd8-40fe-a2e8-fcd009e9ad8a

    Regards

    Jarkko

    Tuesday, October 5, 2010 5:44 AM
  • Hi Jarkko,

    What's odd is that you're seeing these on the DC. Are you using end-to-end security?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, October 5, 2010 12:40 PM
  • I am not use end-to-end security.

    -Jarkko-

    Wednesday, October 6, 2010 7:45 PM
  • Are you trying to connect to the DA clients from the DC?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Monday, October 25, 2010 9:36 PM
    Thursday, October 7, 2010 4:03 PM