Event 4963 IPsec Driver problem
I have a Server 2008 domain running IPsec in AH mode for all traffic. This is implemented by 2 connection security rules: 1. Request Inbound, Request Outbound when communicating with the DC. 2. Require Inbound, Request Outbound for all other connections. This generally works fine, but I have come to add a Vista workstation to the domain, and it is flooding the DC with a very large number of Event 4963. "IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt." I am unable to contact the DC and log in as a domain user. However, if left for a while (10+ mins) it seems to eventually sort itself out and allow a domain login. If i log in as local admin before this "sorts itself out" I cannot ping the DC. I am running windows firewall in Allow all incoming and outgoing mode, and McAfee firewall in Adaptive mode. McAfee is not logging any blocked packets relevant to this connection. Is anyone able to shed some light on why it is behaving like this and how to fix it? Thanks,
November 4th, 2009 9:21pm

Hi, To narrow down the cause of this error, please try to test in Safe Mode with Network and Clean Boot first. Please let us know the result of each step. Also, on DC, open GPMC, right-click Group Policy Result, choose Group Policy Result Wizard, follow the wizard to collect a report of the Windows 7 system. When it finish, right-click in the right-panel, choose Save Report, and use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2009 12:43pm

Hi, We've done a bit more testing and narrowed down the problem a little. What actually happens is that the DC is logging this event every time the workstation attempts to negotiate an IPSec connection, and the DC rejects it. The reason it finally works is that after some time the DC initiates a connection to push out a group policy update, and when it does an IPSec security association is successfully established. From then on, users can log into the workstation. Once the workstation is rebooted, only users who have previously logged in can do so, but fresh domain users have to wait for another group policy update before they can log in. It appears the DC is rejecting IPSec connections initiated by the workstation. We found that by setting the Domain Isolation exception rule on the workstation to "Do Not Authenticate" rather than "Request incoming and request outgoing" any user can log into the workstation without delay. However, this weakens our security position and I would like to have communication with the DC protected with IPSec wherever possible. The Group Policy RSoP configuration for our systems is confidential so I can't post the whole thing here, but if there are specific settings you want to confirm I can post a small number of them. Thanks.
November 9th, 2009 11:23pm

We have found a partial workaround, which involves setting all IPSec connections to authenticate "Computer & User", where previously we were using "Computer" only. This appears to solve the enforced login delay, but there are still some services (particularly web server - database communication) that appear to be affected by this problem. I'm still at a total loss as to what could be causing this issue. Are there really no ideas?
Free Windows Admin Tool Kit Click here and download it now
November 26th, 2009 1:16pm

Did you ever find a solution to this? I am having similiar issues. Thanks.
July 23rd, 2010 4:24pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics