Archived from groups: microsoft.public.win2000.security (
More info?)
The fact that all was well and suddenly stopped working is what is puzzling,
it suggest something must have timed out and become invalid.
The following article might help as it details what you are trying to do. If
this is succesful then the default policy you are using is no longer valid
http://support.microsoft.com/default.aspx?scid=kb;en-us;313195
For the default policy can you troubleshoot with PSK as the auth method
first and see if that works?
I have asked my IPsec collegaues if they can assist futher.
--
Stephen Cartwright [MSFT]
"This posting is provided "AS IS" with no warranties, and confers no
rights."
"Ludwig Zammit" <LudwigZammit@discussions.microsoft.com> wrote in message
news:8F481249-8AA3-456B-99F5-AF9AD09A4E78@microsoft.com...
> Thanks for your reply.
>
> I have added Permit ALL ICMP Traffic on client as well but to no avail.
>
>
> "David Beder [MSFT]" wrote:
>
>> Server and Client policies aren't complely compatible when it comes to
>> ICMP.
>> If for any reason the client sends non-ICMP traffic to the server, the
>> server will intiate ipsec with the client. the client will accept this
>> requirement and will attempt to accept and transmit ALL traffic to the
>> server with ipsec. At this point the icmp traffic will be sent to the
>> server
>> over ipsec and the server will not accept it because icmp is required to
>> come in the clear. On the flip side the clear icmp traffic sent from the
>> server to the client will be dropped by the client because all traffic
>> from
>> the server must be ipsec protected.
>>
>> since ipsecmon says you have an active ipsec connection the failure point
>> would seem to be at the app level, quite possibly in the arena of icmp
>> (eg
>> some applications assume that if ping doesn't work, connectivity does not
>> exist, so fail). Try adding a new rule to your client policy which
>> permits
>> ICMP.
>>
>> --
>> David
>> Microsoft Windows Networking
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "Ludwig Zammit" <LudwigZammit@discussions.microsoft.com> wrote in message
>> news:61683B3E-0C90-41CA-B97A-DE013DAF57AD@microsoft.com...
>> > First of all thanks for your reply!
>> >
>> > I can confirm that nothing has changed. If I disable IPSec Policies I
>> > can
>> > ping the server without any problems.
>> >
>> > What I cannot explain is that when the policies are enabled, ipsecmon
>> > tells
>> > me that the connection is being secured by "ESP Triple DES HMAC SHA1"
>> > but
>> > still I am receiving a "request timed out" when pinging the server from
>> > a
>> > client which has " client(respond only)" enabled.
>> >
>> > The Server(Request Security) policy is configured to permit "All ICMP
>> > Traffic"
>> >
>> > Regards
>> > Ludwig
>> >
>> > "Stephen Cartwright [MSFT]" wrote:
>> >
>> >> Sounds like you have a basic connectivity issue with you server. IKE
>> >> is
>> >> timing out and ping is failing. You said all was working until
>> >> yesterday
>> >> and
>> >> nothing has changed on your polices [or become invalid?].
>> >> Stop policyagent on the server and one client and establish that the
>> >> server
>> >> is ping contactable before lauching on IPsec/AD/DNS troubleshooting as
>> >> it
>> >> does not appear to be an IPsec issue on first reading.
>> >>
>> >> --
>> >> Stephen Cartwright [MSFT]
>> >>
>> >> "This posting is provided "AS IS" with no warranties, and confers no
>> >> rights."
>> >>
>> >> "Ludwig Zammit" <Ludwig Zammit@discussions.microsoft.com> wrote in
>> >> message
>> >> news:1FD7D43B-0DB6-46B6-BEB2-D764510B62E4@microsoft.com...
>> >> >I have set up one of my servers with the Server(Request Security)
>> >> >IPSEC
>> >> > policy. Any clients and servers (memebrs of the same domain)which
>> >> > had
>> >> > the
>> >> > client(respond Only) policy activated used to communicate
>> >> > succesfully
>> >> > with
>> >> > this server and any communication was shown correctly in ipsecmon.
>> >> >
>> >> > However as of yesterday I started having problems with clients
>> >> > communicating
>> >> > with this server. I have enabled Object Access Auditing on the
>> >> > server
>> >> > and
>> >> > am
>> >> > receiving event ID 547 in my security event log:
>> >> >
>> >> > The failure reason is either "IKE SA deleted before establishment
>> >> > completed"
>> >> > or "No response from peer". The failure point is always "Me"
>> >> >
>> >> > If i try to ping the server from any machine which has the
>> >> > client(respond
>> >> > only) policy enable I get a "Request Timed Out". The Server(Request
>> >> > Security)
>> >> > policy has not been modified and hence all ICMP traffic should be
>> >> > permitted.
>> >> >
>> >> > I am still receiving sucessful event ids (541,542 and 543) along
>> >> > with
>> >> > these
>> >> > error messages. I am not sure if this is a normal behaviour or not.
>> >> >
>> >> > Any help is appreciated.
>> >>
>> >>
>> >>
>>
>>
>>
Facebook
Twitter
Instagram