Hi, I have problem on several servers. After updates distributed via wsus random servers are entering ipsec blocking mode. Basically it is this: Event Type: Error Event Source: IPSEC Event Category: None Event ID: 4292 Date: Time: User: N/A Computer: COMPUTER_NAME Description: The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. Sometimes this solution http://support.microsoft.com/kb/912023 is working and I am also using this net stop policyagent regsvr32 polstore.dll net start policyagent + reboot of server and it is working. I know that workaround to this is deploying gpo with disabled ipsec but I would like to know why is this happening. Do you know about any KB to solve or prevent this? Thanks in advance Wojciech

Hi Wojciech, Thanks for posting here. Can you verify the number of these hotfixes that you just patched for servers since this issue occur? You may try the workaround which discussed in the blog below to modify the registry key and see how is going : Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748) http://blogs.technet.com/b/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

We are also seeing this issue and across multiple servers at multiple sites. I believe it is specific to 2003. It is not the DNS ports issue from 2008. This is from patches released in June/2011. We have only been able to work around so far by disabling IPSec and rebooting, but will be trying the resolution, Wojciech, mentioned when possible. I am still trying to narrow down which patches were applied to all the affected servers. I have an open ticket for this with PSS and will post back if I find more information. Mostly I was glad to see we aren't the only ones seeing this and wanted to help get the word out and escalate this issue. Joel Asaro

Hi guys and thanks for reply. I can't confirm if this issue is caused by installing MS08-037 (951746 and 951748) because I wasn't able to access my company WSUS :) I will try to check it Tomorrow and I will let you know what patches was deployed when server entered ipsec blocking mode. As Joel wrote blocking mode didn't occur on 2008 and solution to this is pretty easy to implement in small environments. In larger ones it is extremely difficult due to db servers downtime etc. I can't 100% agree with Joel that it is caused by June patches because I fixed several servers in January and February. I will keep you posted about my investigation and also if you will find something please share. Cheers!

Hi Wojciech, Thanks for update. Actually you can verify the latest patched hotfix by checking the update history on that server. If there is any update on this issue please feel free to let us know. Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Right now I am awaiting for account creation and I will log support ticket to Microsoft since this is painful issue. I will let you know about casue and solution. Cheers Wojciech

No probs Joel, I will do that Tomorrow. Cheers

I have made some progress in working with Microsoft PSS and thought I would share what I have seen so far. Curious if you can confirm that this is the case for your servers as well. It looks like IPSec was symptomatic of Winsock corruption. I was able to recreate the issue in a VM with a minimal install of Windows, patches and our managment software. Doing a "netsh winsock reset" does resolve the issue, but obviously, the aim is determine the cause and ultimately prevent it. Digging on my own I found the following KB which was helpful in diagnosing the winsock issue further: http://support.microsoft.com/kb/811259 Using "netsh winsock show catalog" on our affected servers it looks like the following components are missing: MSAFD Tcpip [TCP/IP] MSAFD Tcpip [UDP/IP] I am hopeful this will allow us to detect the issue before rebooting, but I am still working on determining the cause.

Hey, This article is a little stale so I don't know if someone else had a more definitive answer. We ran into this issue today after some patches were applied (these were security patches from October). Took a while to diagnosis that it was this issue, but after creating the the workaround of disabling the IPSec service and restoring service I found this article: http://support.microsoft.com/kb/912023. I reviewed the registry and sure enough the registry key was missing so I ran the regsvr32 command and it rebuilt the key. On reboot IPSec started up as expected. This doesn't necessarily given a reason why the key was deleted, but it was a definitive solution for this instance. Please note our server was not a domain controller so the article is not limited to domain controllers.

Hi Chris, yes for sure it helps but it doesn't say why it is so random and how to prevent it in advance. For sure it is not a big problem when you have few servers but if you are in large organization it is really big problem.

I know this is an old thread but I wanted to note that this happened to me immediately after enabling and testing "Advanced Open File Option" in Symantec Backup Exec for our Exchange server. After enabling the option I manually ran the job from our backup server then everyone lost connection to the Exchange server shortly thereafter. The backup job wouldnt cancel so I rebooted the Exchange server then I couldnt RDP to it or ping it so I logged in local, found the issue, disabled IPSec service and rebooted. For now the IPSec service is still disabled until I can reboot the server again and I also disable the Open File option in Backup Exec. Symantec KB On the issue refers to the MS article: http://www.symantec.com/business/support/index?page=content&id=TECH59748 http://support.microsoft.com/kb/912023

I know this is an old thread but I wanted to note that this happened to me immediately after enabling and testing "Advanced Open File Option" in Symantec Backup Exec for our Exchange server. After enabling the option I manually ran the job from our backup server then everyone lost connection to the Exchange server shortly thereafter. The backup job wouldnt cancel so I rebooted the Exchange server then I couldnt RDP to it or ping it so I logged in local, found the issue, disabled IPSec service and rebooted. For now the IPSec service is still disabled until I can reboot the server again and I also disable the Open File option in Backup Exec. Symantec KB On the issue refers to the MS article: http://www.symantec.com/business/support/index?page=content&id=TECH59748 http://support.microsoft.com/kb/912023

This isn't answer to problem. This is solution http://support.microsoft.com/kb/912023 how to fix it. This thread isn't how to solve issue but what is causing it.