Firewall on my lab windows 2008 R2(64 bit) domain controller is turned off. I am using IPSEC to filter the packets. For some reason I am seeing packets dropped to self (it is not using loop back interface, but using public interface) , example below Server IP : 192.168.100.100 telnet 192.168.100.100 389 fails to connect ( same happens with other ports, the server is listening on the ports which I tried) When I unassign the IPSEC policy, the connection works. I am thinking that there is a hotfix out there for the issue I am seeing. If anyone has any insight, please help. The symptoms are same as described in the below kb http://support.microsoft.com/kb/961533 I can see that the article applies to Vista and 2008 and not to 2008 R2. But I still tried to download the hotfix and apply it, and as expected it failed, complaining that it does not pertain to this server.

Any MS gurus know what issue I am running into??

I tried adding a rule to allow all from MY IP to 192.168.100.100/32 --- DID NOT WORK I ended up adding a rule to allow From: MY IP Specific Subnet: 192.168.100.0/24 This is very ugly. Does anyone have any suggestions or know of fix for this issue?? Thanks

Hi Medise, Thanks for posting here. It appears this is a by design behavior which windows will not add permit filters in the situation where the source IP address and destination IP address are on the same host. But we may try the workaround in the article below: Self-to-Self traffic is blocked by a Legacy IPsec rule which blocks traffic from any IP address to any other IP address http://support.microsoft.com/kb/2026070 Thanks. Tiger LiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Medise, Thanks for posting here. It appears this is a by design behavior which windows will not add permit filters in the situation where the source IP address and destination IP address are on the same host. But we may try the workaround in the article below: Self-to-Self traffic is blocked by a Legacy IPsec rule which blocks traffic from any IP address to any other IP address http://support.microsoft.com/kb/2026070 Thanks. Tiger LiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello Mr. Li, Thanks for the KB article, Is there a way to download hotfix for Windows 2008 R2 to fix this issue, since the link provides hotfix only for Windows Vista. Thanks Medise

Hi Medise, Thanks for update This hotfix applies to Windows Server 2008 R2, we can verfiy that from the "Applies to" paragraph: APPLIES TO •Windows Server 2008 R2 Enterprise •Windows Server 2008 R2 Standard •Windows Server 2008 R2 Foundation •Windows 7 Enterprise •Windows 7 Professional •Windows 7 Ultimate Keywords: KB2026070 Thanks. Tiger LiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Medise, Thanks for update The workaround in that articiel is applies to Windows Server 2008 R2, we can verfiy that from the "Applies to" paragraph: APPLIES TO •Windows Server 2008 R2 Enterprise •Windows Server 2008 R2 Standard •Windows Server 2008 R2 Foundation •Windows 7 Enterprise •Windows 7 Professional •Windows 7 Ultimate Keywords: KB2026070 Thanks. Tiger Li Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Li for responding. I get hotfix download option only for Windows Vista, so I downloaded the 64 bit version for Vista (File name 371156_intl_x64_zip.exe) and tried to apply it to windows 2008 R2 Ent(nt os kernel version 6.1.7600.16792). The extracted file was Windows6.0-KB961533-x64.msu And when executed it stops with "this update is not applicable to you computer". So I think there should be a windows 2008 R2 download, which I cannot find. The hotfix download link used was http://support.microsoft.com/default.aspx?scid=kb;EN-US;961533 Thanks Medise

Does anyone know where can I find the patch for Windows 2008 R2? Thanks

There was no patch released for this issue for Windows 2008 R2. However the WorkAround Tiger mentioned does seem to be applicable to Win2008 R2 also. Did that not work for you.-CrDev Blogs: http://blogs.msdn.com/b/satyem

Well the work around the article recommends is to not use IPSEC and configure all the rules using firewall. This will be a big design change for us and will not work for time being. While I upgrade my servers to Windows 2008 R2, I would like to keep the functional aspects consistent with Windows 2003 Servers. May be in future, in next 6-12 months we may move to firewall, since with 2008 we can now do both inbound and outbound filtering unlike the only inbound in older models, which led us to using IPSEC at the first place. Will there be patch realeased for Windows 2008 Enterprise R2? Is there any other alternative to achieve the functionality using IPSEC. Thanks

The patch is released if any customer comes with enough business justification for the issue. You might need to contact Microsoft support team for the same. Unfortunately, IMO there is no other workaround for the same apart from using AdvFirewall to configure rules. -CrDev Blogs: http://blogs.msdn.com/b/satyem