IPSEC policy drops packet from self to self
Firewall on my lab windows 2008 R2(64 bit) domain controller is turned off. I am using IPSEC to filter the packets. For some reason I am seeing packets dropped to self (it is not using loop back interface, but using public interface) , example below
Server IP : 192.168.100.100
telnet 192.168.100.100 389
fails to connect ( same happens with other ports, the server is listening on the ports which I tried)
When I unassign the IPSEC policy, the connection works. I am thinking that there is a hotfix out there for the issue I am seeing. If anyone has any insight, please help.
The symptoms are same as described in the below kb
http://support.microsoft.com/kb/961533
I can see that the article applies to Vista and 2008 and not to 2008 R2. But I still tried to download the hotfix and apply it, and as expected it failed, complaining that it does not pertain to this server.
December 6th, 2011 5:21pm
Any MS gurus know what issue I am running into??
Free Windows Admin Tool Kit Click here and download it now
December 6th, 2011 11:53pm
I tried adding a rule to allow all from MY IP to 192.168.100.100/32 --- DID NOT WORK
I ended up adding a rule to allow
From: MY IP
Specific Subnet: 192.168.100.0/24
This is very ugly.
Does anyone have any suggestions or know of fix for this issue??
Thanks
December 7th, 2011 11:09am
Hello Mr. Li,
Thanks for the KB article, Is there a way to download hotfix for Windows 2008 R2 to fix this issue, since the link provides hotfix only for Windows Vista.
Thanks
Medise
Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2012 3:04pm
Thanks Li for responding.
I get hotfix download option only for Windows Vista, so I downloaded the 64 bit version for Vista (File name 371156_intl_x64_zip.exe) and tried to apply it to windows 2008 R2 Ent(nt os kernel version 6.1.7600.16792). The extracted file was
Windows6.0-KB961533-x64.msu
And when executed it stops with "this update is not applicable to you computer". So I think there should be a windows 2008 R2 download, which I cannot find.
The hotfix download link used was
http://support.microsoft.com/default.aspx?scid=kb;EN-US;961533
Thanks
Medise
January 4th, 2012 10:02am
Does anyone know where can I find the patch for Windows 2008 R2?
Thanks
Free Windows Admin Tool Kit Click here and download it now
January 9th, 2012 10:04am
There was no patch released for this issue for Windows 2008 R2. However the WorkAround Tiger mentioned does seem to be applicable to Win2008 R2 also. Did that not work for you.-CrDev Blogs: http://blogs.msdn.com/b/satyem
January 9th, 2012 5:18pm
Well the work around the article recommends is to not use IPSEC and configure all the rules using firewall. This will be a big design change for us and will not work for time being. While I upgrade my servers to Windows 2008 R2, I would like to keep
the functional aspects consistent with Windows 2003 Servers. May be in future, in next 6-12 months we may move to firewall, since with 2008 we can now do both inbound and outbound filtering unlike the only inbound in older models, which led us to using IPSEC
at the first place.
Will there be patch realeased for Windows 2008 Enterprise R2? Is there any other alternative to achieve the functionality using IPSEC.
Thanks
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2012 12:36pm
The patch is released if any customer comes with enough business justification for the issue. You might need to contact Microsoft support team for the same.
Unfortunately, IMO there is no other workaround for the same apart from using AdvFirewall to configure rules. -CrDev Blogs: http://blogs.msdn.com/b/satyem
January 20th, 2012 4:38pm