IPsec connection can no be established from BOTH endpoints - Network

This is a discussion on IPsec connection can no be established from BOTH endpoints - Network ; Dear friends, I am experiencing a strange problem resuling in the unability to establish the IPsec connection from both communications partners, it only works when machine B contacts machine A, not vice versa. After pinging machine A, A can ping ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: IPsec connection can no be established from BOTH endpoints

  1. IPsec connection can no be established from BOTH endpoints

    Dear friends,

    I am experiencing a strange problem resuling in the unability to establish
    the IPsec connection from both communications partners, it only works when
    machine B contacts machine A, not vice versa. After pinging machine A, A can
    ping B - otherwise I get the message that, IP security is beeing negotiated.

    Both boxes have static, public IPs and I have defined an IPsec rule based on
    those specific IPs. I did that for two pairs of boxes, pair A is working
    fine, machine A can contact machine B and vice versa. But my second pair has
    the above mentioned problem.

    Any hint to work around this problem would be very nice.

    Many thanks in advance,
    Tobias Punke



  2. Re: IPsec connection can no be established from BOTH endpoints

    Hi Tobias,

    Ping inserts the MAC addresses of both hosts into each other's arp cache,
    which might explain why you are able to connect after pinging (use 'arp -a'
    to view and 'arp -d' to delete entries).

    Are both pairs of machines on the same or similar subnets, with similar
    default gateways and identical or similar routers/hubs/switches between?
    Are they all running the same operating system - all workstations or some
    servers? Do they all have the same NIC cards?

    This is just a wild guess, but you might try turning 'Tx Checksum Offload'
    off on the NIC card in the machine where you are having trouble. See if it
    makes a difference.

    If that doesn't work, check the system and security event logs in Event
    Viewer. You may have a problem with certificates.

    Refer to the following technet article on troubleshooting IPSec:
    http://technet2.microsoft.com/Window....mspx?mfr=true

    I hope this helps!

    --
    Greg Lindsay [MSFT]
    greg.lindsay@microsoft.com

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.

    "Tobias Punke" wrote in message
    news:OOjKZVcqGHA.148@TK2MSFTNGP04.phx.gbl...
    > Dear friends,
    >
    > I am experiencing a strange problem resuling in the unability to establish
    > the IPsec connection from both communications partners, it only works when
    > machine B contacts machine A, not vice versa. After pinging machine A, A
    > can ping B - otherwise I get the message that, IP security is beeing
    > negotiated.
    >
    > Both boxes have static, public IPs and I have defined an IPsec rule based
    > on those specific IPs. I did that for two pairs of boxes, pair A is
    > working fine, machine A can contact machine B and vice versa. But my
    > second pair has the above mentioned problem.
    >
    > Any hint to work around this problem would be very nice.
    >
    > Many thanks in advance,
    > Tobias Punke
    >




  3. Re: IPsec connection can no be established from BOTH endpoints

    re: different behavior between the machines for IPsec negotiations.
    Does each machine have the same mirrored IPsec rule?
    IP_Server_A < - > IP_Server_B, Negotiate Security

    re: ICMP
    I would suggest adding the following rule to exempt ICMP from IPsec
    negotiations
    Me < - > Any, ICMP, Permit (mirrored)

    Jason

    "Tobias Punke" wrote in message
    news:OOjKZVcqGHA.148@TK2MSFTNGP04.phx.gbl...
    > Dear friends,
    >
    > I am experiencing a strange problem resuling in the unability to establish
    > the IPsec connection from both communications partners, it only works when
    > machine B contacts machine A, not vice versa. After pinging machine A, A
    > can ping B - otherwise I get the message that, IP security is beeing
    > negotiated.
    >
    > Both boxes have static, public IPs and I have defined an IPsec rule based
    > on those specific IPs. I did that for two pairs of boxes, pair A is
    > working fine, machine A can contact machine B and vice versa. But my
    > second pair has the above mentioned problem.
    >
    > Any hint to work around this problem would be very nice.
    >
    > Many thanks in advance,
    > Tobias Punke
    >



+ Reply to Thread