IPSec Service issue

higherho

Event ID 4292

The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer. For detailed troubleshooting information, review the events in the Security event log.

This all of a sudden started happening the moment I rebooted the server. I disabled it so that it would get out of block mode but I'm still curious how this happened. I tried restarting the service and thats when I get an error saying failed to start cannot find file (even though the lsaa.exe is located in the system 32 folder). Last three Windows Patches that were applied to the system were two security patches and Windows maclious software removal tool.

KB2507938
KB2555917
KB890830


Prior to me performing our weekly reboots it was taking forever to logoff the server either console or RDP. Prior to this when we rebooted weekly we sometimes got a few Netlogon errors but we reduced that from 5 down to 1 because it was a NIC driver issue.

Anyone have this type of error before?

higherho

-Update-

So I been searching through the registry and under the system services called tcpip I selected the parameters key and it has a few more d words than any of the other servers which I find odd.

MaxUserPort is one that is set to 65534 and TCPTimedWaitDelay is set to 30. Though I doubt these would force IPsec to go into block mode but it is the only difference that I saw between the settings.



Our servers run 2003 R2 SP2. This particular server is 32bit

higherho

So I think I found the culprit.

You cannot connect to the Internet, and you cannot join or log on to the domain if Windows Server 2003 SP1 is installed on the authenticating domain controller

Apparently on the server I'm looking at the IP sec policies / IP sec key is gone. Not sure how that happened