+ Reply to Thread
Results 1 to 3 of 3
  1. Senior Member
    Join Date
    Oct 2010
    Posts
    861

    Certifications
    CISSP, CEH
    #1

    Default IPSec Service issue

    Event ID 4292

    The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer. For detailed troubleshooting information, review the events in the Security event log.
    This all of a sudden started happening the moment I rebooted the server. I disabled it so that it would get out of block mode but I'm still curious how this happened. I tried restarting the service and thats when I get an error saying failed to start cannot find file (even though the lsaa.exe is located in the system 32 folder). Last three Windows Patches that were applied to the system were two security patches and Windows maclious software removal tool.

    KB2507938
    KB2555917
    KB890830


    Prior to me performing our weekly reboots it was taking forever to logoff the server either console or RDP. Prior to this when we rebooted weekly we sometimes got a few Netlogon errors but we reduced that from 5 down to 1 because it was a NIC driver issue.

    Anyone have this type of error before?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Oct 2010
    Posts
    861

    Certifications
    CISSP, CEH
    #2
    -Update-

    So I been searching through the registry and under the system services called tcpip I selected the parameters key and it has a few more d words than any of the other servers which I find odd.

    MaxUserPort is one that is set to 65534 and TCPTimedWaitDelay is set to 30. Though I doubt these would force IPsec to go into block mode but it is the only difference that I saw between the settings.



    Our servers run 2003 R2 SP2. This particular server is 32bit
    Last edited by higherho; 08-04-2011 at 03:48 PM.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Oct 2010
    Posts
    861

    Certifications
    CISSP, CEH
    #3
    So I think I found the culprit.

    You cannot connect to the Internet, and you cannot join or log on to the domain if Windows Server 2003 SP1 is installed on the authenticating domain controller

    Apparently on the server I'm looking at the IP sec policies / IP sec key is gone. Not sure how that happened
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks