New connections not allowed into existing IPSec security associati

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Win2k Citrix farm using MetaframeXP hosting the business application.
TN3270e connections between each user session at the server and mainframe
protected with IPSec (all ports between the devices). Scenario is as follows;

Normal ops. Multiple users logged into the application on each server.
Security Association (SA) establishes with the first user connection to
mainframe. Subsequent user sessions use the established SA. Working well.

Help desk gets a report of a user receiving an error during application
login that describes a problem at the network layer. Citrix client connects
to the server and brings up the application, no problem. The error comes
from the application and indicates a timeout waiting for the socket to
complete that would connect the TN3270e session to the mainframe.

Attempting to ping from the user's server to the mainframe times out. SA is
in place, netstat -n shows current connections, current users see no problem
with connectivity.

Toggling the IPSec Policy assign/un-assign in the management console clears
the problem without affecting existing connections.

Problem has appeared on several different servers.

Looking for clues, suggestions for isolating further, etc. Thanks in advance.
 
For clues, try turning on oakley logging.


http://support.microsoft.com/default.aspx?scid=kb;en-us;257225

Louise Bowman
MSFT

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Rocky said:
Win2k Citrix farm using MetaframeXP hosting the business application.
TN3270e connections between each user session at the server and mainframe
protected with IPSec (all ports between the devices). Scenario is as follows;

Normal ops. Multiple users logged into the application on each server.
Security Association (SA) establishes with the first user connection to
mainframe. Subsequent user sessions use the established SA. Working well.

Help desk gets a report of a user receiving an error during application
login that describes a problem at the network layer. Citrix client connects
to the server and brings up the application, no problem. The error comes
from the application and indicates a timeout waiting for the socket to
complete that would connect the TN3270e session to the mainframe.

Attempting to ping from the user's server to the mainframe times out. SA is
in place, netstat -n shows current connections, current users see no problem
with connectivity.

Toggling the IPSec Policy assign/un-assign in the management console clears
the problem without affecting existing connections.

Problem has appeared on several different servers.

Looking for clues, suggestions for isolating further, etc. Thanks in
Click to expand...
advance.
 
Back
Top