Skip to main content

How to fix corrupted IPSec policy on Windows server 2003

 How to fix corrupted IPSec policy on Windows server 2003

 Symptoms

SYMPTOMS:
  • 1.     Loss of connectivity to server.
    2.     As server boots past Windows splash screen entering gray backdrop with status window, ping starts.
    3.     When “Acquiring Computer Settings” message appears on status windows prior to login prompt, ping fails and network connectivity is not restored.
    4.     While in the OS, loopback ping and ping to self hostname is successful.
    5.     Server cannot ping anything else on subnet besides it’s self even though network adapter shows connected. 
    6.     Ping-ed gateway and destination is not reachabl
  • 7.   IPSEC Service is not started
  • 8. "The system cannot find the file specified" when trying to start IPSEC Service
  • 9. Other symptoms are found in Microsoft Article KB912023
  • References: http://support.microsoft.com/kb/870910 
  • References: http://support.microsoft.com/kb/912023

Resolution

On Windows Server 2003 DC, if the IPSEC policy was corrupted, the server machine couldn't determine what traffic was allowed and what traffic wasn't, so it took the safe route and discarded all traffic that wasn't permitted by the highly restrictive boot-time policy exemptions.

In order to fix it, we need to fix some registry keys from the command line:

  REG DELETE HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\
   Policy\Local /F

  REG ADD HKLM\System\CurrentControlSet\Services\IPSEC /V
   Start /T REG_DWORD /F /D 1

  regsvr32 -s polstore.dll

When the policy file corrupted and couldn't be read, IPSec will be defaulted to "Block" mode, it will blocks most traffic except DHCP, which the computer would need to start up. By deleting the local policy, reconfiguring the IPSec service and re-registering the policy store (it will recreates the default local policy), we can solve the problem. For more info, you can reference this MS web page:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/b0b6adaa-6b38-4952-b055-14559f46e561.mspx

You may attempt to follow the resolution found in Microsoft Article KB912023, but do consider the following before performing them.
  1. Ensure that the server harddisk is in working condition. You may check this thru the storage controller (RAID controller) utility. The usual errors to look out for are faulty harddisk or controller batteries that needs to be replaced.
  2. Ensure that your file system is intact by running a chkdsk. This is ensure that your file system does not contain errors.

    chkdsk {system drive} /f /r
  3. Ensure that your operating system files are checked for consistency (Be prepared to insert Windows Server 2003 CD). This is important if item 1 and 2 above contains errors on the server.

    sfc /scannow
  4. Delete local policy registry subkey (if present)

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
  5. Rebuild local policy store by running the command

    regsvr32 polstore.dll
  6. Attempt to start service and test network connectivity.
 For exact details on step 4 and 5, please refer to Microsoft Article mentioned.

Comments

Post a Comment

Popular posts from this blog

Quick Guide to VCF Automation for VCD Administrators

  Quick Guide to VCF Automation for VCD Administrators VMware Cloud Foundation 9 (VCF 9) has been  released  and with it comes brand new Cloud Management Platform –  VCF Automation (VCFA)  which supercedes both Aria Automation and VMware Cloud Director (VCD). This blog post is intended for those people that know VCD quite well and want to understand how is VCFA similar or different to help them quickly orient in the new direction. It should be emphasized that VCFA is a new solution and not just rebranding of an old one. However it reuses a lot of components from its predecessors. The provider part of VCFA called Tenenat Manager is based on VCD code and the UI and APIs will be familiar to VCD admins, while the tenant part inherist a lot from Aria Automation and especially for VCD end-users will look brand new. Deployment and Architecture VCFA is generaly deployed from VCF Operations Fleet Management (former Aria Suite LCM embeded in VCF Ops. Fleet Management...
Post a Comment
Read more
  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.  
Post a Comment
Read more
  "Cloud zone insights not available yet, please check after some time" message on Aria Automation https://knowledge.broadcom.com/external/article?articleNumber=314894 Products VMware Aria Suite Issue/Introduction Symptoms: The certificate for Aria operations has been replaced since it was initially added to Aria Automation as an integration. When accessing the Insights pane under  Cloud Assembly  ->  Infrastructure  ->  Cloud Zone  ->  Insights  the following message is displayed:   "Cloud zone insights not available yet, please check after some time." The  /var/log/services-logs/prelude/hcmp-service-app/file-logs/hcmp-service-app.log  file contains ssl errors similar to:   2022-08-25T20:06:43.989Z ERROR hcmp-service [host='hcmp-service-app-xxxxxxx-xxxx' thread='Thread-56' user='' org='<org_id>' trace='<trace_id>' parent='<parent_id>' span='<span_id>'] c.v.a.h.a.common.AlertEnu...
Post a Comment
Read more