IPSEC not working

[Guest]

I have set up one of my servers with the Server(Request Security) IPSEC
policy. Any clients and servers (memebrs of the same domain)which had the
client(respond Only) policy activated used to communicate succesfully with
this server and any communication was shown correctly in ipsecmon.

However as of yesterday I started having problems with clients communicating
with this server. I have enabled Object Access Auditing on the server and am
receiving event ID 547 in my security event log:

The failure reason is either "IKE SA deleted before establishment completed"
or "No response from peer". The failure point is always "Me"

If i try to ping the server from any machine which has the client(respond
only) policy enable I get a "Request Timed Out". The Server(Request Security)
policy has not been modified and hence all ICMP traffic should be permitted.

I am still receiving sucessful event ids (541,542 and 543) along with these
error messages. I am not sure if this is a normal behaviour or not.

Any help is appreciated.

 

[Stephen Cartwright [MSFT]]

Sounds like you have a basic connectivity issue with you server. IKE is
timing out and ping is failing. You said all was working until yesterday and
nothing has changed on your polices [or become invalid?].
Stop policyagent on the server and one client and establish that the server
is ping contactable before lauching on IPsec/AD/DNS troubleshooting as it
does not appear to be an IPsec issue on first reading.

 

[Guest]

First of all thanks for your reply!

I can confirm that nothing has changed. If I disable IPSec Policies I can
ping the server without any problems.

What I cannot explain is that when the policies are enabled, ipsecmon tells
me that the connection is being secured by "ESP Triple DES HMAC SHA1" but
still I am receiving a "request timed out" when pinging the server from a
client which has " client(respond only)" enabled.

The Server(Request Security) policy is configured to permit "All ICMP Traffic"

Regards
Ludwig

Sounds like you have a basic connectivity issue with you server. IKE is
timing out and ping is failing. You said all was working until yesterday and
nothing has changed on your polices [or become invalid?].
Stop policyagent on the server and one client and establish that the server
is ping contactable before lauching on IPsec/AD/DNS troubleshooting as it
does not appear to be an IPsec issue on first reading.

--
Stephen Cartwright [MSFT]

"This posting is provided "AS IS" with no warranties, and confers no
rights."

I have set up one of my servers with the Server(Request Security) IPSEC
policy. Any clients and servers (memebrs of the same domain)which had the
client(respond Only) policy activated used to communicate succesfully with
this server and any communication was shown correctly in ipsecmon.

However as of yesterday I started having problems with clients
communicating
with this server. I have enabled Object Access Auditing on the server and
am
receiving event ID 547 in my security event log:

The failure reason is either "IKE SA deleted before establishment
completed"
or "No response from peer". The failure point is always "Me"

If i try to ping the server from any machine which has the client(respond
only) policy enable I get a "Request Timed Out". The Server(Request
Security)
policy has not been modified and hence all ICMP traffic should be
permitted.

I am still receiving sucessful event ids (541,542 and 543) along with
these
error messages. I am not sure if this is a normal behaviour or not.

Any help is appreciated.

 

[David Beder [MSFT]]

Server and Client policies aren't complely compatible when it comes to ICMP.
If for any reason the client sends non-ICMP traffic to the server, the
server will intiate ipsec with the client. the client will accept this
requirement and will attempt to accept and transmit ALL traffic to the
server with ipsec. At this point the icmp traffic will be sent to the server
over ipsec and the server will not accept it because icmp is required to
come in the clear. On the flip side the clear icmp traffic sent from the
server to the client will be dropped by the client because all traffic from
the server must be ipsec protected.

since ipsecmon says you have an active ipsec connection the failure point
would seem to be at the app level, quite possibly in the arena of icmp (eg
some applications assume that if ping doesn't work, connectivity does not
exist, so fail). Try adding a new rule to your client policy which permits
ICMP.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.

First of all thanks for your reply!

I can confirm that nothing has changed. If I disable IPSec Policies I can
ping the server without any problems.

What I cannot explain is that when the policies are enabled, ipsecmon
tells
me that the connection is being secured by "ESP Triple DES HMAC SHA1" but
still I am receiving a "request timed out" when pinging the server from a
client which has " client(respond only)" enabled.

The Server(Request Security) policy is configured to permit "All ICMP
Traffic"

Regards
Ludwig

Sounds like you have a basic connectivity issue with you server. IKE is
timing out and ping is failing. You said all was working until yesterday
and
nothing has changed on your polices [or become invalid?].
Stop policyagent on the server and one client and establish that the
server
is ping contactable before lauching on IPsec/AD/DNS troubleshooting as it
does not appear to be an IPsec issue on first reading.

--
Stephen Cartwright [MSFT]

"This posting is provided "AS IS" with no warranties, and confers no
rights."

message

I have set up one of my servers with the Server(Request Security) IPSEC
policy. Any clients and servers (memebrs of the same domain)which had
the
client(respond Only) policy activated used to communicate succesfully
with
this server and any communication was shown correctly in ipsecmon.

However as of yesterday I started having problems with clients
communicating
with this server. I have enabled Object Access Auditing on the server
and
am
receiving event ID 547 in my security event log:

The failure reason is either "IKE SA deleted before establishment
completed"
or "No response from peer". The failure point is always "Me"

If i try to ping the server from any machine which has the
client(respond
only) policy enable I get a "Request Timed Out". The Server(Request
Security)
policy has not been modified and hence all ICMP traffic should be
permitted.

I am still receiving sucessful event ids (541,542 and 543) along with
these
error messages. I am not sure if this is a normal behaviour or not.

Any help is appreciated.

 

[Guest]

Thanks for your reply.

I have added Permit ALL ICMP Traffic on client as well but to no avail.

Server and Client policies aren't complely compatible when it comes to ICMP.
If for any reason the client sends non-ICMP traffic to the server, the
server will intiate ipsec with the client. the client will accept this
requirement and will attempt to accept and transmit ALL traffic to the
server with ipsec. At this point the icmp traffic will be sent to the server
over ipsec and the server will not accept it because icmp is required to
come in the clear. On the flip side the clear icmp traffic sent from the
server to the client will be dropped by the client because all traffic from
the server must be ipsec protected.

since ipsecmon says you have an active ipsec connection the failure point
would seem to be at the app level, quite possibly in the arena of icmp (eg
some applications assume that if ping doesn't work, connectivity does not
exist, so fail). Try adding a new rule to your client policy which permits
ICMP.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.

First of all thanks for your reply!

I can confirm that nothing has changed. If I disable IPSec Policies I can
ping the server without any problems.

What I cannot explain is that when the policies are enabled, ipsecmon
tells
me that the connection is being secured by "ESP Triple DES HMAC SHA1" but
still I am receiving a "request timed out" when pinging the server from a
client which has " client(respond only)" enabled.

The Server(Request Security) policy is configured to permit "All ICMP
Traffic"

Regards
Ludwig

Sounds like you have a basic connectivity issue with you server. IKE is
timing out and ping is failing. You said all was working until yesterday
and
nothing has changed on your polices [or become invalid?].
Stop policyagent on the server and one client and establish that the
server
is ping contactable before lauching on IPsec/AD/DNS troubleshooting as it
does not appear to be an IPsec issue on first reading.

--
Stephen Cartwright [MSFT]

"This posting is provided "AS IS" with no warranties, and confers no
rights."

message
I have set up one of my servers with the Server(Request Security) IPSEC
policy. Any clients and servers (memebrs of the same domain)which had
the
client(respond Only) policy activated used to communicate succesfully
with
this server and any communication was shown correctly in ipsecmon.

However as of yesterday I started having problems with clients
communicating
with this server. I have enabled Object Access Auditing on the server
and
am
receiving event ID 547 in my security event log:

The failure reason is either "IKE SA deleted before establishment
completed"
or "No response from peer". The failure point is always "Me"

If i try to ping the server from any machine which has the
client(respond
only) policy enable I get a "Request Timed Out". The Server(Request
Security)
policy has not been modified and hence all ICMP traffic should be
permitted.

I am still receiving sucessful event ids (541,542 and 543) along with
these
error messages. I am not sure if this is a normal behaviour or not.

Any help is appreciated.

 

[Stephen Cartwright [MSFT]]

The fact that all was well and suddenly stopped working is what is puzzling,
it suggest something must have timed out and become invalid.
The following article might help as it details what you are trying to do. If
this is succesful then the default policy you are using is no longer valid
http://support.microsoft.com/default.aspx?scid=kb;en-us;313195

For the default policy can you troubleshoot with PSK as the auth method
first and see if that works?
I have asked my IPsec collegaues if they can assist futher.

--
Stephen Cartwright [MSFT]

"This posting is provided "AS IS" with no warranties, and confers no
rights."

Thanks for your reply.

I have added Permit ALL ICMP Traffic on client as well but to no avail.

Server and Client policies aren't complely compatible when it comes to
ICMP.
If for any reason the client sends non-ICMP traffic to the server, the
server will intiate ipsec with the client. the client will accept this
requirement and will attempt to accept and transmit ALL traffic to the
server with ipsec. At this point the icmp traffic will be sent to the
server
over ipsec and the server will not accept it because icmp is required to
come in the clear. On the flip side the clear icmp traffic sent from the
server to the client will be dropped by the client because all traffic
from
the server must be ipsec protected.

since ipsecmon says you have an active ipsec connection the failure point
would seem to be at the app level, quite possibly in the arena of icmp
(eg
some applications assume that if ping doesn't work, connectivity does not
exist, so fail). Try adding a new rule to your client policy which
permits
ICMP.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no
rights.

First of all thanks for your reply!

I can confirm that nothing has changed. If I disable IPSec Policies I
can
ping the server without any problems.

What I cannot explain is that when the policies are enabled, ipsecmon
tells
me that the connection is being secured by "ESP Triple DES HMAC SHA1"
but
still I am receiving a "request timed out" when pinging the server from
a
client which has " client(respond only)" enabled.

The Server(Request Security) policy is configured to permit "All ICMP
Traffic"

Regards
Ludwig

:

Sounds like you have a basic connectivity issue with you server. IKE
is
timing out and ping is failing. You said all was working until
yesterday
and
nothing has changed on your polices [or become invalid?].
Stop policyagent on the server and one client and establish that the
server
is ping contactable before lauching on IPsec/AD/DNS troubleshooting as
it
does not appear to be an IPsec issue on first reading.

--
Stephen Cartwright [MSFT]

"This posting is provided "AS IS" with no warranties, and confers no
rights."

message
I have set up one of my servers with the Server(Request Security)
IPSEC
policy. Any clients and servers (memebrs of the same domain)which
had
the
client(respond Only) policy activated used to communicate
succesfully
with
this server and any communication was shown correctly in ipsecmon.

However as of yesterday I started having problems with clients
communicating
with this server. I have enabled Object Access Auditing on the
server
and
am
receiving event ID 547 in my security event log:

The failure reason is either "IKE SA deleted before establishment
completed"
or "No response from peer". The failure point is always "Me"

If i try to ping the server from any machine which has the
client(respond
only) policy enable I get a "Request Timed Out". The Server(Request
Security)
policy has not been modified and hence all ICMP traffic should be
permitted.

I am still receiving sucessful event ids (541,542 and 543) along
with
these
error messages. I am not sure if this is a normal behaviour or not.

Any help is appreciated.