IPSec causes dropped shares?

    General discussion

  • We have two 2008 R2 file servers and (mostly) XP clients. Random clients sporatically drop mapped connections to 2 file servers, and access to the server is not resstored with log off/log on, but requires a client reboot.

    This produces a Security log entry on both the client and server. Below is an example from the server.

    Log Name: Security

    Source: Microsoft-Windows-Security-Auditing

    Date: 10/12/2011 11:37:56 PM

    Event ID: 4654

    Task Category: IPsec Quick Mode

    Level: Information

    Keywords: Audit Failure

    User: N/A



    An IPsec quick mode negotiation failed.

    Local Endpoint:

    Network Address:

    Network Address mask:

    Port: 0

    Tunnel Endpoint: -

    Remote Endpoint:

    Network Address:

    Address Mask:

    Port: 0

    Tunnel Endpoint: -

    Private Address:

    Additional Information:

    Protocol: 6

    Keying Module Name: IKEv1

    Virtual Interface Tunnel ID: 0

    Traffic Selector ID: 0

    Mode: Transport

    Role: Responder

    Quick Mode Filter ID: 70928

    Main Mode SA ID: 380657

    Failure Information:

    State: Sent first (SA) payload

    Message ID: 1833354141

    Failure Point: Local computer

    Failure Reason: Cannot create a file when that file already exists.

    I haven't been able to find any mention of this online. Any ideas?


    Bob Muzzy SA IT, UC Berkeley
    Wednesday, October 26, 2011 12:04 AM

All replies

  • Hi Bob,


    Thanks for posting here.


    Have ever set any IPsec policy or filter on either side ? if yes, how and what did we set ? any idea

    What was the error prompt when connection been dropped? Can we still reach these servers by using other methods and protocols like ping IP addresses form clients? And will other hosts also been affected ?

    I’d suggest first to patch the latest service pack and hotfixes for both server and  XP clients.




    Tiger Li

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, October 27, 2011 5:49 AM
  • We set a policy the Windows firewall on each server (vs via GPO) to request inbound & outbound IPSec, using kerberos then our domain certs.

    The only error popups are from the whatever application, e.g.; Thunderbird, had a connection to that server.   

    I *believe* the server that drops can still be pinged.  I've asked a desktop guy to verify this.

    We've only seen this on the 2 2008 R2 file servers here. 

    All servers and clients are patched monthly.




    Bob Muzzy SA IT, UC Berkeley
    Wednesday, November 02, 2011 12:39 AM
  • We have this exact same issue, did you ever find a resolution?
    Tuesday, March 06, 2012 8:24 PM
  • No, we opened a ticket with MS support and they sent us a tool to capture data related to IPSec.  I sent them some logs but haven't heard back from them yet.  I need to re-contact them...

    Bob Muzzy SA IT, UC Berkeley

    Thursday, March 08, 2012 8:05 PM
  • I have found that if I restart the IPSec service or do a gpupdate /force it resolves the problem for a while so we don't have to reboot all the time. This is only an issue with Windows XP for us as our Windows 7 machines don't have the problem. If you do find a solution, I'd love to hear it. We are just dealing with it for the time being because we have Windows 7 upgrades coming in the near future and it is only affecting a small group of people (haven't found the common denominator yet).

    Wednesday, March 14, 2012 4:13 PM
  • SuperJosh1 & blmuzzy - any further information on this? I just ran into the same behavior. 
    Thursday, May 23, 2013 4:22 PM