Hi, I have problem on several servers. After updates distributed via wsus random servers are entering ipsec blocking mode. Basically it is this: Event Type: Error Event Source: IPSEC Event Category: None Event ID: 4292 Date: Time: User: N/A Computer: COMPUTER_NAME Description: The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. Sometimes this solution http://support.microsoft.com/kb/912023 is working and I am also using this net stop policyagent regsvr32 polstore.dll net start policyagent + reboot of server and it is working. I know that workaround to this is deploying gpo with disabled ipsec but I would like to know why is this happening. Do you know about any KB to solve or prevent this? Thanks in advance Wojciech

Hi Wojciech, Thanks for posting here. Can you verify the number of these hotfixes that you just patched for servers since this issue occur? You may try the workaround which discussed in the blog below to modify the registry key and see how is going : Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748) http://blogs.technet.com/b/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

We are also seeing this issue and across multiple servers at multiple sites. I believe it is specific to 2003. It is not the DNS ports issue from 2008. This is from patches released in June/2011. We have only been able to work around so far by disabling IPSec and rebooting, but will be trying the resolution, Wojciech, mentioned when possible. I am still trying to narrow down which patches were applied to all the affected servers. I have an open ticket for this with PSS and will post back if I find more information. Mostly I was glad to see we aren't the only ones seeing this and wanted to help get the word out and escalate this issue. Joel Asaro

Hi guys and thanks for reply. I can't confirm if this issue is caused by installing MS08-037 (951746 and 951748) because I wasn't able to access my company WSUS :) I will try to check it Tomorrow and I will let you know what patches was deployed when server entered ipsec blocking mode. As Joel wrote blocking mode didn't occur on 2008 and solution to this is pretty easy to implement in small environments. In larger ones it is extremely difficult due to db servers downtime etc. I can't 100% agree with Joel that it is caused by June patches because I fixed several servers in January and February. I will keep you posted about my investigation and also if you will find something please share. Cheers!

Hi Wojciech, Thanks for update. Actually you can verify the latest patched hotfix by checking the update history on that server. If there is any update on this issue please feel free to let us know. Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Right now I am awaiting for account creation and I will log support ticket to Microsoft since this is painful issue. I will let you know about casue and solution. Cheers Wojciech

We are still tracking this issue and I have not heard back from PSS yet, but I have now seen this on a server that looks to NOT have June patches installed. I am starting to suspect it is something else on these servers. Wojciech, would you mind emailing me directly to compare what software we might have in common on affected servers? joelasaro [at] gmail [dot] com.

We are still tracking this issue and I have not heard back from PSS yet, but I have now seen this on a server that looks to NOT have June patches installed. I am starting to suspect it is something else on these servers. Wojciech, would you mind emailing me directly to compare what software we might have in common on affected servers? <email address redacted>

No probs Joel, I will do that Tomorrow. Cheers

I have made some progress in working with Microsoft PSS and thought I would share what I have seen so far. Curious if you can confirm that this is the case for your servers as well. It looks like IPSec was symptomatic of Winsock corruption. I was able to recreate the issue in a VM with a minimal install of Windows, patches and our managment software. Doing a "netsh winsock reset" does resolve the issue, but obviously, the aim is determine the cause and ultimately prevent it. Digging on my own I found the following KB which was helpful in diagnosing the winsock issue further: http://support.microsoft.com/kb/811259 Using "netsh winsock show catalog" on our affected servers it looks like the following components are missing: MSAFD Tcpip [TCP/IP] MSAFD Tcpip [UDP/IP] I am hopeful this will allow us to detect the issue before rebooting, but I am still working on determining the cause.