IPSEC Service Fail to Start - Network

This is a discussion on IPSEC Service Fail to Start - Network ; After an unexected shutdown of my server the IPSec service refused to start. Examining the event logs on the server has revealed the following errors: - System Log *Event ID 7023 Source Service Control Manager Service Failed to start *Event ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: IPSEC Service Fail to Start

  1. IPSEC Service Fail to Start

    After an unexected shutdown of my server the IPSec service refused to start.
    Examining the event logs on the server has revealed the following errors:
    - System Log
    *Event ID 7023 Source Service Control Manager
    Service Failed to start
    *Event ID 4232 Source IPSec
    IPSec Service went into the block state

    Currently it is possible to connect to the server by disabling the IPSec
    service, but I'm running into problems on the network as certain applications
    require the IPSec service.

    I'm running a SBS 2003 Premuim Server with ISA 2004 installed and fully
    patched (i.e. SP1 with newest updates installed).

    Is it possible to reinstall this service without reinstalling the whole
    server? If it is possible do anybody know how to do it? And lastly what can
    cause this service to get corrupted?

    Any help will be greatly apprecaited.





  2. Re: IPSEC Service Fail to Start

    It is hard to say offhand exactly what happened. There is an excellent
    chapter in the ipsec domain isolation guide on troubleshooting ipsec. I
    would start there in the section on troubleshooting the ipsec service of
    which I have pasted a portion of below. If the problem is deeper you could
    try running System File Checker as in sfc /scannow in case there are
    corrupted system files. A last resort may be to do an in place
    upgrade/repair of the operating system which would require that you first
    install service pack and then critical security updates after finishing.
    First run Check Disk on your computer, make sure that ipsec service is not
    disabled and that services it depends on are running, and try using netsh to
    reset tcp/ip. If you do use netsh to reset tcp/ip be sure to review your
    tcp/ip settings after doing so to make sure they are correct as it may
    change your static IP address to use DHCP and document your current tcp/ip
    settings before running the netsh command. You can use services.msc to check
    services and look in the dependencies tab to see what services a service
    depends on. --- Steve

    http://www.microsoft.com/technet/sec.../ipsecch7.mspx
    http://support.microsoft.com/default...b;en-us;816579
    Troubleshooting the IPsec Service
    The IPsec service does not need to be running to use the IPsec Policy
    Management MMC snap-in. However, if an administrator then assigns a local
    policy, the Policy Assigned column will display an error.

    The following common problems can cause the IPsec service to fail during
    startup:

    . The computer was started in Safe Mode or Active Directory Recovery
    Mode. In these cases, the IPsec driver will provide stateful outbound
    communication by default if there is an IPsec policy assigned. Inbound
    connectivity will be blocked unless there is a bootexemption configured.

    . IKE cannot obtain exclusive control of UDP port 500 and port 4500.
    Use netstat -bov to show the processes and code modules for each port. The
    command portqry -local -v provides even greater detail. Some Winsock Layered
    Service Providers (LSP) may be installed that are interfering with IPsec.
    For more information about LSPs and IPsec, refer to the "Troubleshooting
    Application Related Issues" section later in this chapter.

    . IPsec Policy corruption. The assigned IPsec policy cannot be read
    entirely or applied entirely, which causes the IPsec service to report a
    number of errors. These errors do not cause the service itself to fail, but
    may cause communications to fail in many ways, such as by blocking Group
    Policy and the IPsec service from retrieving corrected policies. In Windows
    XP and Windows Server 2003, attention should be paid to the design of
    persistent policy or local policy as a "safe" policy to be applied in case
    of errors that occur when domain-based policy is applied. Both persistent
    policy and computer startup policy (bootmode exemptions) should be part of
    the troubleshooting investigation. These policies should permit remote
    access to the computer by other means in case they are the only policies
    applied because of to other failure conditions.




    "Christo Basson" Basson@discussions.microsoft.com> wrote in message
    news:3D833C7F-6C9F-418A-8849-5055E1BC8DC7@microsoft.com...
    > After an unexected shutdown of my server the IPSec service refused to
    > start.
    > Examining the event logs on the server has revealed the following errors:
    > - System Log
    > *Event ID 7023 Source Service Control Manager
    > Service Failed to start
    > *Event ID 4232 Source IPSec
    > IPSec Service went into the block state
    >
    > Currently it is possible to connect to the server by disabling the IPSec
    > service, but I'm running into problems on the network as certain
    > applications
    > require the IPSec service.
    >
    > I'm running a SBS 2003 Premuim Server with ISA 2004 installed and fully
    > patched (i.e. SP1 with newest updates installed).
    >
    > Is it possible to reinstall this service without reinstalling the whole
    > server? If it is possible do anybody know how to do it? And lastly what
    > can
    > cause this service to get corrupted?
    >
    > Any help will be greatly apprecaited.
    >
    >
    >
    >




  3. Re: IPSEC Service Fail to Start

    Hi Steve,

    I've been reading the suggested guide this morning and have to say that my
    understanding of the IPSec service was totally skewed

    I have been able to regain control of my IP Security Policies MMC, but the
    IP Security monitor is still giving me an error specifically: "The Security
    Policy Database component of the IPSec Service is unavailable and or
    incompatible with the IP Security monitor"

    Using nesth ipsec dynamic show all I've seen that some of the components in
    the SPD show a 1702 (Binding handle invalid) error. Is it possible to reset
    the SPD without damaging the OS?

    Regarding the service (PolicyAgent) IPSec: This service is not displayed in
    my service list. Will a reset of the TCP/IP stack influence this issue? I'm
    assuming that if the service is not shown in this console (it is not shown
    through the net start either) that the service is definitely not started.

    Thank you for the good advice thus far.

    Christo




    "Steven L Umbach" wrote:

    > It is hard to say offhand exactly what happened. There is an excellent
    > chapter in the ipsec domain isolation guide on troubleshooting ipsec. I
    > would start there in the section on troubleshooting the ipsec service of
    > which I have pasted a portion of below. If the problem is deeper you could
    > try running System File Checker as in sfc /scannow in case there are
    > corrupted system files. A last resort may be to do an in place
    > upgrade/repair of the operating system which would require that you first
    > install service pack and then critical security updates after finishing.
    > First run Check Disk on your computer, make sure that ipsec service is not
    > disabled and that services it depends on are running, and try using netsh to
    > reset tcp/ip. If you do use netsh to reset tcp/ip be sure to review your
    > tcp/ip settings after doing so to make sure they are correct as it may
    > change your static IP address to use DHCP and document your current tcp/ip
    > settings before running the netsh command. You can use services.msc to check
    > services and look in the dependencies tab to see what services a service
    > depends on. --- Steve
    >
    > http://www.microsoft.com/technet/sec.../ipsecch7.mspx
    > http://support.microsoft.com/default...b;en-us;816579
    > Troubleshooting the IPsec Service
    > The IPsec service does not need to be running to use the IPsec Policy
    > Management MMC snap-in. However, if an administrator then assigns a local
    > policy, the Policy Assigned column will display an error.
    >
    > The following common problems can cause the IPsec service to fail during
    > startup:
    >
    > . The computer was started in Safe Mode or Active Directory Recovery
    > Mode. In these cases, the IPsec driver will provide stateful outbound
    > communication by default if there is an IPsec policy assigned. Inbound
    > connectivity will be blocked unless there is a bootexemption configured.
    >
    > . IKE cannot obtain exclusive control of UDP port 500 and port 4500.
    > Use netstat -bov to show the processes and code modules for each port. The
    > command portqry -local -v provides even greater detail. Some Winsock Layered
    > Service Providers (LSP) may be installed that are interfering with IPsec.
    > For more information about LSPs and IPsec, refer to the "Troubleshooting
    > Application Related Issues" section later in this chapter.
    >
    > . IPsec Policy corruption. The assigned IPsec policy cannot be read
    > entirely or applied entirely, which causes the IPsec service to report a
    > number of errors. These errors do not cause the service itself to fail, but
    > may cause communications to fail in many ways, such as by blocking Group
    > Policy and the IPsec service from retrieving corrected policies. In Windows
    > XP and Windows Server 2003, attention should be paid to the design of
    > persistent policy or local policy as a "safe" policy to be applied in case
    > of errors that occur when domain-based policy is applied. Both persistent
    > policy and computer startup policy (bootmode exemptions) should be part of
    > the troubleshooting investigation. These policies should permit remote
    > access to the computer by other means in case they are the only policies
    > applied because of to other failure conditions.
    >
    >
    >
    >
    > "Christo Basson" Basson@discussions.microsoft.com> wrote in message
    > news:3D833C7F-6C9F-418A-8849-5055E1BC8DC7@microsoft.com...
    > > After an unexected shutdown of my server the IPSec service refused to
    > > start.
    > > Examining the event logs on the server has revealed the following errors:
    > > - System Log
    > > *Event ID 7023 Source Service Control Manager
    > > Service Failed to start
    > > *Event ID 4232 Source IPSec
    > > IPSec Service went into the block state
    > >
    > > Currently it is possible to connect to the server by disabling the IPSec
    > > service, but I'm running into problems on the network as certain
    > > applications
    > > require the IPSec service.
    > >
    > > I'm running a SBS 2003 Premuim Server with ISA 2004 installed and fully
    > > patched (i.e. SP1 with newest updates installed).
    > >
    > > Is it possible to reinstall this service without reinstalling the whole
    > > server? If it is possible do anybody know how to do it? And lastly what
    > > can
    > > cause this service to get corrupted?
    > >
    > > Any help will be greatly apprecaited.
    > >
    > >
    > >
    > >

    >
    >
    >


  4. Re: IPSEC Service Fail to Start

    It sounds like something fairly significant has happened to your server if
    the ipsec service does not even show in your list of services. I have not
    had that happen to me. In the past it has been reported that reinstalling
    tcp/ip often fixes ipsec problems for Windows 2000. With Windows 2003 you
    can use netsh to reset tcp/ip and it may help. I don't know for sure as I
    have not experienced your situation with Windows 2003. In Windows 2000 it
    also helped to delete existing ipsec policies and then restore the default
    ipsec policies or restore the current ipsec policies from known good backup.
    For instance using the mmc snapin for Ip Security Policies you can right
    click, select all tasks, and then select restore default policies. However
    you may not be able to do that if the ipsec service is not running which
    sound like your case.

    If you have a recent backup of the System State for your server you may want
    to try and restore that keeping in mind that changes to your Active
    Directory that have been implemented since that backup will be lost.
    Otherwise it may help to dig further into the troubleshooting guide and use
    netsh and the registry editing to further troubleshoot the ipsec policy
    which may be a local or domain level policy. If possible try to make an
    image type backup of your server so that you can restore if the need arises
    and the very least make a backup of the System State so that you have your
    Active Directory backed up. As I mentioned earlier System File Checker and
    repair install may be other options to consider. --- Steve


    "Christo Basson" wrote in message
    news:93F5CFD7-CD83-4D00-B51B-52F2FCC62EB8@microsoft.com...
    > Hi Steve,
    >
    > I've been reading the suggested guide this morning and have to say that my
    > understanding of the IPSec service was totally skewed
    >
    > I have been able to regain control of my IP Security Policies MMC, but the
    > IP Security monitor is still giving me an error specifically: "The
    > Security
    > Policy Database component of the IPSec Service is unavailable and or
    > incompatible with the IP Security monitor"
    >
    > Using nesth ipsec dynamic show all I've seen that some of the components
    > in
    > the SPD show a 1702 (Binding handle invalid) error. Is it possible to
    > reset
    > the SPD without damaging the OS?
    >
    > Regarding the service (PolicyAgent) IPSec: This service is not displayed
    > in
    > my service list. Will a reset of the TCP/IP stack influence this issue?
    > I'm
    > assuming that if the service is not shown in this console (it is not shown
    > through the net start either) that the service is definitely not started.
    >
    > Thank you for the good advice thus far.
    >
    > Christo
    >
    >
    >
    >
    > "Steven L Umbach" wrote:
    >
    >> It is hard to say offhand exactly what happened. There is an excellent
    >> chapter in the ipsec domain isolation guide on troubleshooting ipsec. I
    >> would start there in the section on troubleshooting the ipsec service of
    >> which I have pasted a portion of below. If the problem is deeper you
    >> could
    >> try running System File Checker as in sfc /scannow in case there are
    >> corrupted system files. A last resort may be to do an in place
    >> upgrade/repair of the operating system which would require that you first
    >> install service pack and then critical security updates after finishing.
    >> First run Check Disk on your computer, make sure that ipsec service is
    >> not
    >> disabled and that services it depends on are running, and try using netsh
    >> to
    >> reset tcp/ip. If you do use netsh to reset tcp/ip be sure to review your
    >> tcp/ip settings after doing so to make sure they are correct as it may
    >> change your static IP address to use DHCP and document your current
    >> tcp/ip
    >> settings before running the netsh command. You can use services.msc to
    >> check
    >> services and look in the dependencies tab to see what services a service
    >> depends on. --- Steve
    >>
    >> http://www.microsoft.com/technet/sec.../ipsecch7.mspx
    >> http://support.microsoft.com/default...b;en-us;816579
    >> Troubleshooting the IPsec Service
    >> The IPsec service does not need to be running to use the IPsec Policy
    >> Management MMC snap-in. However, if an administrator then assigns a local
    >> policy, the Policy Assigned column will display an error.
    >>
    >> The following common problems can cause the IPsec service to fail during
    >> startup:
    >>
    >> . The computer was started in Safe Mode or Active Directory
    >> Recovery
    >> Mode. In these cases, the IPsec driver will provide stateful outbound
    >> communication by default if there is an IPsec policy assigned. Inbound
    >> connectivity will be blocked unless there is a bootexemption configured.
    >>
    >> . IKE cannot obtain exclusive control of UDP port 500 and port
    >> 4500.
    >> Use netstat -bov to show the processes and code modules for each port.
    >> The
    >> command portqry -local -v provides even greater detail. Some Winsock
    >> Layered
    >> Service Providers (LSP) may be installed that are interfering with IPsec.
    >> For more information about LSPs and IPsec, refer to the "Troubleshooting
    >> Application Related Issues" section later in this chapter.
    >>
    >> . IPsec Policy corruption. The assigned IPsec policy cannot be read
    >> entirely or applied entirely, which causes the IPsec service to report a
    >> number of errors. These errors do not cause the service itself to fail,
    >> but
    >> may cause communications to fail in many ways, such as by blocking Group
    >> Policy and the IPsec service from retrieving corrected policies. In
    >> Windows
    >> XP and Windows Server 2003, attention should be paid to the design of
    >> persistent policy or local policy as a "safe" policy to be applied in
    >> case
    >> of errors that occur when domain-based policy is applied. Both persistent
    >> policy and computer startup policy (bootmode exemptions) should be part
    >> of
    >> the troubleshooting investigation. These policies should permit remote
    >> access to the computer by other means in case they are the only policies
    >> applied because of to other failure conditions.
    >>
    >>
    >>
    >>
    >> "Christo Basson" Basson@discussions.microsoft.com> wrote in
    >> message
    >> news:3D833C7F-6C9F-418A-8849-5055E1BC8DC7@microsoft.com...
    >> > After an unexected shutdown of my server the IPSec service refused to
    >> > start.
    >> > Examining the event logs on the server has revealed the following
    >> > errors:
    >> > - System Log
    >> > *Event ID 7023 Source Service Control Manager
    >> > Service Failed to start
    >> > *Event ID 4232 Source IPSec
    >> > IPSec Service went into the block state
    >> >
    >> > Currently it is possible to connect to the server by disabling the
    >> > IPSec
    >> > service, but I'm running into problems on the network as certain
    >> > applications
    >> > require the IPSec service.
    >> >
    >> > I'm running a SBS 2003 Premuim Server with ISA 2004 installed and fully
    >> > patched (i.e. SP1 with newest updates installed).
    >> >
    >> > Is it possible to reinstall this service without reinstalling the whole
    >> > server? If it is possible do anybody know how to do it? And lastly what
    >> > can
    >> > cause this service to get corrupted?
    >> >
    >> > Any help will be greatly apprecaited.
    >> >
    >> >
    >> >
    >> >

    >>
    >>
    >>




+ Reply to Thread