Ipsec connection problem - Network

This is a discussion on Ipsec connection problem - Network ; Wondering if anyone has seen this. I have a server on my internal network that I am doing disk to disk backups using robocopy overnight with a scheduled task. Ipsec policy is set to use esp, with AD authentication. When ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Ipsec connection problem

  1. Ipsec connection problem

    Wondering if anyone has seen this. I have a server on my internal network
    that I am doing disk to disk backups using robocopy overnight with a
    scheduled task. Ipsec policy is set to use esp, with AD authentication. When
    the job starts, 9 pm, the first three or four jobs work fine, then the
    server starts losing it's connection and can't copy anything else. If I ping
    it from one of the DC's it starts working again.
    It looks like the ipsec policy is working from the start, but after a while
    it can't contact the DC to authenticate the other servers until the DC sends
    something to it. I've been through the policies on both sides, can't find
    anything wrong. The server is Win2k3, windows 2000 functional domain. I'm
    not seeing anything in the event log, the only thing I see is when I try to
    log on to the server it sometimes saysd the domain is not available.
    Any help appreciated.
    --
    Bob Grabbe
    bgrabbe@umich.edu



  2. Re: Ipsec connection problem

    Kind of sounds like you have a DNS problem (inability to consistently locate
    a DC for the necessary authentication, and IPsec failures may just be a
    victom of that problem.)

    In any case, if you have 'Audit Logon Events' Success and Failure auditing
    enabled you should see 547 failure events in the Security log if there is an
    IPsec negotiation failure. You'll also see addditional traffic for IPsec
    MM/QM creations in the form of 541 and 542 events as well.

    From there you can refer to the Chapter 7 IPsec troubleshooting guide from
    the domain isolation doc for detailed information on each of the events and
    suggestions for correcting them. If that doesn't provide enough information
    you should look into enabling the oakley.log file for even more detailed
    information.

    Lastly, all this is assuming that you are not using IPsec to secure the
    traffic between the client and the DC since that is an unsupported
    configuration and prone to many problems. e.g. the DC's IP address should
    be permitted in the policy.

    http://www.microsoft.com/technet/sec.../IPsecch7.mspx

    jason


    "Bob Grabbe" wrote in message
    news:%23%23FS%23vbmFHA.420@TK2MSFTNGP09.phx.gbl...
    > Wondering if anyone has seen this. I have a server on my internal network
    > that I am doing disk to disk backups using robocopy overnight with a
    > scheduled task. Ipsec policy is set to use esp, with AD authentication.
    > When the job starts, 9 pm, the first three or four jobs work fine, then
    > the server starts losing it's connection and can't copy anything else. If
    > I ping it from one of the DC's it starts working again.
    > It looks like the ipsec policy is working from the start, but after a
    > while it can't contact the DC to authenticate the other servers until the
    > DC sends something to it. I've been through the policies on both sides,
    > can't find anything wrong. The server is Win2k3, windows 2000 functional
    > domain. I'm not seeing anything in the event log, the only thing I see is
    > when I try to log on to the server it sometimes saysd the domain is not
    > available.
    > Any help appreciated.
    > --
    > Bob Grabbe
    > bgrabbe@umich.edu
    >
    >




  3. Re: Ipsec connection problem

    Of course, it's AD integrated dns, so it's a dns/authentication problem,.I
    didn't know that ipsec wasn't supported to a dc, though.
    It all worked fine for about two months until I had to rebuild the server,
    it's been the last 2 - 3 weeks that I've had the problem, on the new build.
    I'll set the dc's to permit, that probably will fix it.
    Thanks
    Bob Grabbe
    bgrabbe@umich.edu

    "Jason Popp [MSFT]" wrote in message
    news:Oehy3VcmFHA.2628@tk2msftngp13.phx.gbl...
    > Kind of sounds like you have a DNS problem (inability to consistently
    > locate a DC for the necessary authentication, and IPsec failures may just
    > be a victom of that problem.)
    >
    > In any case, if you have 'Audit Logon Events' Success and Failure auditing
    > enabled you should see 547 failure events in the Security log if there is
    > an IPsec negotiation failure. You'll also see addditional traffic for
    > IPsec MM/QM creations in the form of 541 and 542 events as well.
    >
    > From there you can refer to the Chapter 7 IPsec troubleshooting guide from
    > the domain isolation doc for detailed information on each of the events
    > and suggestions for correcting them. If that doesn't provide enough
    > information you should look into enabling the oakley.log file for even
    > more detailed information.
    >
    > Lastly, all this is assuming that you are not using IPsec to secure the
    > traffic between the client and the DC since that is an unsupported
    > configuration and prone to many problems. e.g. the DC's IP address should
    > be permitted in the policy.
    >
    > http://www.microsoft.com/technet/sec.../IPsecch7.mspx
    >
    > jason
    >
    >
    > "Bob Grabbe" wrote in message
    > news:%23%23FS%23vbmFHA.420@TK2MSFTNGP09.phx.gbl...
    >> Wondering if anyone has seen this. I have a server on my internal network
    >> that I am doing disk to disk backups using robocopy overnight with a
    >> scheduled task. Ipsec policy is set to use esp, with AD authentication.
    >> When the job starts, 9 pm, the first three or four jobs work fine, then
    >> the server starts losing it's connection and can't copy anything else. If
    >> I ping it from one of the DC's it starts working again.
    >> It looks like the ipsec policy is working from the start, but after a
    >> while it can't contact the DC to authenticate the other servers until the
    >> DC sends something to it. I've been through the policies on both sides,
    >> can't find anything wrong. The server is Win2k3, windows 2000 functional
    >> domain. I'm not seeing anything in the event log, the only thing I see is
    >> when I try to log on to the server it sometimes saysd the domain is not
    >> available.
    >> Any help appreciated.
    >> --
    >> Bob Grabbe
    >> bgrabbe@umich.edu
    >>
    >>

    >
    >




+ Reply to Thread