IPSEC policy drops packet from self to self
Firewall on my lab windows 2008 R2(64 bit) domain controller is turned off. I am using IPSEC to filter the packets. For some reason I am seeing packets dropped to self (it is not using loop back interface, but using public interface) , example below
Server IP : 192.168.100.100
telnet 192.168.100.100 389
fails to connect ( same happens with other ports, the server is listening on the ports which I tried)
When I unassign the IPSEC policy, the connection works. I am thinking that there is a hotfix out there for the issue I am seeing. If anyone has any insight, please help.
The symptoms are same as described in the below kb
http://support.microsoft.com/kb/961533
I can see that the article applies to Vista and 2008 and not to 2008 R2. But I still tried to download the hotfix and apply it, and as expected it failed, complaining that it does not pertain to this server.
December 6th, 2011 5:27pm
Any MS gurus know what issue I am running into??
Free Windows Admin Tool Kit Click here and download it now
December 6th, 2011 11:59pm
I tried adding a rule to allow all from MY IP to 192.168.100.100/32 --- DID NOT WORK
I ended up adding a rule to allow
From: MY IP
Specific Subnet: 192.168.100.0/24
This is very ugly.
Does anyone have any suggestions or know of fix for this issue??
Thanks
December 7th, 2011 11:16am
Hi Medise,
Thanks for posting here.
It appears this is a by design behavior which windows will not add permit filters in the situation where the source IP address and destination IP address are on the
same host. But we may try the workaround in the article below:
Self-to-Self traffic is blocked by a Legacy IPsec rule which blocks traffic from any IP address to any other IP address
http://support.microsoft.com/kb/2026070
Thanks.
Tiger LiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2011 9:45pm
Hi Medise,
Thanks for posting here.
It appears this is a by design behavior which windows will not add permit filters in the situation where the source IP address and destination IP address are on the
same host. But we may try the workaround in the article below:
Self-to-Self traffic is blocked by a Legacy IPsec rule which blocks traffic from any IP address to any other IP address
http://support.microsoft.com/kb/2026070
Thanks.
Tiger LiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
December 8th, 2011 5:38am
Hello Mr. Li,
Thanks for the KB article, Is there a way to download hotfix for Windows 2008 R2 to fix this issue, since the link provides hotfix only for Windows Vista.
Thanks
Medise
Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2012 3:10pm
Hi Medise,
Thanks for update
This hotfix applies to Windows Server 2008 R2, we can verfiy that from the "Applies to" paragraph:
APPLIES TO
•Windows Server 2008 R2 Enterprise
•Windows Server 2008 R2 Standard
•Windows Server 2008 R2 Foundation
•Windows 7 Enterprise
•Windows 7 Professional
•Windows 7 Ultimate
Keywords:
KB2026070
Thanks.
Tiger LiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
January 3rd, 2012 8:20pm
Hi Medise,
Thanks for update
The workaround in that articiel is applies to Windows Server 2008 R2, we can verfiy that from the "Applies to" paragraph:
APPLIES TO
•Windows Server 2008 R2 Enterprise
•Windows Server 2008 R2 Standard
•Windows Server 2008 R2 Foundation
•Windows 7 Enterprise
•Windows 7 Professional
•Windows 7 Ultimate
Keywords:
KB2026070
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
January 4th, 2012 4:14am
Thanks Li for responding.
I get hotfix download option only for Windows Vista, so I downloaded the 64 bit version for Vista (File name 371156_intl_x64_zip.exe) and tried to apply it to windows 2008 R2 Ent(nt os kernel version 6.1.7600.16792). The extracted file was
Windows6.0-KB961533-x64.msu
And when executed it stops with "this update is not applicable to you computer". So I think there should be a windows 2008 R2 download, which I cannot find.
The hotfix download link used was
http://support.microsoft.com/default.aspx?scid=kb;EN-US;961533
Thanks
Medise
January 4th, 2012 10:08am
Does anyone know where can I find the patch for Windows 2008 R2?
Thanks
Free Windows Admin Tool Kit Click here and download it now
January 9th, 2012 10:11am
There was no patch released for this issue for Windows 2008 R2. However the WorkAround Tiger mentioned does seem to be applicable to Win2008 R2 also. Did that not work for you.-CrDev Blogs: http://blogs.msdn.com/b/satyem
January 9th, 2012 5:25pm
Well the work around the article recommends is to not use IPSEC and configure all the rules using firewall. This will be a big design change for us and will not work for time being. While I upgrade my servers to Windows 2008 R2, I would like to keep
the functional aspects consistent with Windows 2003 Servers. May be in future, in next 6-12 months we may move to firewall, since with 2008 we can now do both inbound and outbound filtering unlike the only inbound in older models, which led us to using IPSEC
at the first place.
Will there be patch realeased for Windows 2008 Enterprise R2? Is there any other alternative to achieve the functionality using IPSEC.
Thanks
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2012 12:43pm
The patch is released if any customer comes with enough business justification for the issue. You might need to contact Microsoft support team for the same.
Unfortunately, IMO there is no other workaround for the same apart from using AdvFirewall to configure rules. -CrDev Blogs: http://blogs.msdn.com/b/satyem
January 20th, 2012 4:45pm