Skip to main content

How to fix corrupted IPSec policy on Windows server 2003

 How to fix corrupted IPSec policy on Windows server 2003

 Symptoms

SYMPTOMS:
  • 1.     Loss of connectivity to server.
    2.     As server boots past Windows splash screen entering gray backdrop with status window, ping starts.
    3.     When “Acquiring Computer Settings” message appears on status windows prior to login prompt, ping fails and network connectivity is not restored.
    4.     While in the OS, loopback ping and ping to self hostname is successful.
    5.     Server cannot ping anything else on subnet besides it’s self even though network adapter shows connected. 
    6.     Ping-ed gateway and destination is not reachabl
  • 7.   IPSEC Service is not started
  • 8. "The system cannot find the file specified" when trying to start IPSEC Service
  • 9. Other symptoms are found in Microsoft Article KB912023
  • References: http://support.microsoft.com/kb/870910 
  • References: http://support.microsoft.com/kb/912023

Resolution

On Windows Server 2003 DC, if the IPSEC policy was corrupted, the server machine couldn't determine what traffic was allowed and what traffic wasn't, so it took the safe route and discarded all traffic that wasn't permitted by the highly restrictive boot-time policy exemptions.

In order to fix it, we need to fix some registry keys from the command line:

  REG DELETE HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\
   Policy\Local /F

  REG ADD HKLM\System\CurrentControlSet\Services\IPSEC /V
   Start /T REG_DWORD /F /D 1

  regsvr32 -s polstore.dll

When the policy file corrupted and couldn't be read, IPSec will be defaulted to "Block" mode, it will blocks most traffic except DHCP, which the computer would need to start up. By deleting the local policy, reconfiguring the IPSec service and re-registering the policy store (it will recreates the default local policy), we can solve the problem. For more info, you can reference this MS web page:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/b0b6adaa-6b38-4952-b055-14559f46e561.mspx

You may attempt to follow the resolution found in Microsoft Article KB912023, but do consider the following before performing them.
  1. Ensure that the server harddisk is in working condition. You may check this thru the storage controller (RAID controller) utility. The usual errors to look out for are faulty harddisk or controller batteries that needs to be replaced.
  2. Ensure that your file system is intact by running a chkdsk. This is ensure that your file system does not contain errors.

    chkdsk {system drive} /f /r
  3. Ensure that your operating system files are checked for consistency (Be prepared to insert Windows Server 2003 CD). This is important if item 1 and 2 above contains errors on the server.

    sfc /scannow
  4. Delete local policy registry subkey (if present)

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
  5. Rebuild local policy store by running the command

    regsvr32 polstore.dll
  6. Attempt to start service and test network connectivity.
 For exact details on step 4 and 5, please refer to Microsoft Article mentioned.

Comments

Post a Comment

Popular posts from this blog

  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.  
Post a Comment
Read more

57 Tips Every Admin Should Know

Active Directory 1. To quickly list all the groups in your domain, with members, run this command: dsquery group -limit 0 | dsget group -members –expand 2. To find all users whose accounts are set to have a non-expiring password, run this command: dsquery * domainroot -filter “(&(objectcategory=person)(objectclass=user)(lockoutTime=*))” -limit 0 3. To list all the FSMO role holders in your forest, run this command: netdom query fsmo 4. To refresh group policy settings, run this command: gpupdate 5. To check Active Directory replication on a domain controller, run this command: repadmin /replsummary 6. To force replication from a domain controller without having to go through to Active Directory Sites and Services, run this command: repadmin /syncall 7. To see what server authenticated you (or if you logged on with cached credentials) you can run either of these commands: set l echo %logonserver% 8. To see what account you are logged on as, run this command: ...
Post a Comment
Read more
  The Guardrails of Automation VMware Cloud Foundation (VCF) 9.0 has redefined private cloud automation. With full-stack automation powered by Ansible and orchestrated through vRealize Orchestrator (vRO), and version-controlled deployments driven by GitOps and CI/CD pipelines, teams can build infrastructure faster than ever. But automation without guardrails is a recipe for risk Enter RBAC and policy enforcement. This third and final installment in our automation series focuses on how to secure and govern multi-tenant environments in VCF 9.0 with role-based access control (RBAC) and layered identity management. VCF’s IAM Foundation VCF 9.x integrates tightly with enterprise identity providers, enabling organizations to define and assign roles using existing Active Directory (AD) groups. With its persona-based access model, administrators can enforce strict boundaries across compute, storage, and networking resources: Personas : Global Admin, Tenant Admin, Contributor, Viewer Projec...
Post a Comment
Read more