Link to home
Start Free TrialLog in
Avatar of chris_shaw
chris_shawFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Intermittent 'The IPSec driver has entered Block mode' (Event ID 4292) errors on boot - then no IP communication with the server.

I now have 2 SBS 2003 servers which INTERMITTENTLY cannot be contacted after booting.  The cause is this error:
Event ID 4292. The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions.
User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer.
For detailed troubleshooting information, review the events in the Security event log.

The solution is to reboot the server (without disabling services as suggested above), which will usually start OK the next time.  My problem is that I remote control these servers, so if this happens I need someone to intervene manually to sort the problem - not much good over a weekend if no-one is around.

I have searched for a solution - KB930220 does NOT apply here.  Because it is intermittent I think it may be something to do with timing, but I have not found a cause yet.

Any ideas? Chris.
Avatar of Bertling
Bertling
Flag of United Kingdom of Great Britain and Northern Ireland image

Avatar of chris_shaw

ASKER

Many thanks for the reply.

No - none of these apply:
870910 - There is no problem opening the policy
912023 - There is no corruption in the policy store - usually rebooting the server will result in the server booting fine with no problem (my problem is that I cannot always access the server to do this)
930220 - I have checked this fix and it does not apply to my servers - Administrators and SERVICES both belong to the Impersonate a client after authentication Properties  policy setting.

I would like to emphasize again that this is an INTERMITTENT problem, the server will only do this SOMETIMES on rebooting.  If it does the another reboot will usually fix it, so it will not be the result of a setting which would result in this condition occurring every time.
Chris - are you also seeing

Event ID 7023
Source: Service Control Manager
The IPSEC Services service terminated with the following error:
Only one usage of each socket address (protocol/network address/port) is normally permitted.

shortly after the 4292?
Chavous,
I do indeed get these 7023 errors after the 4292.
Chris
ASKER CERTIFIED SOLUTION
Avatar of chavousc
chavousc
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Chavous,
Thank you.  I would say that an update problem is very likely, as one of the servers has been operating without a problem for 4 years now, and this problem has only started occurring since July this year after the DNS cache poisoning updates (MS08-037) were applied.
I will study the blog in detail and apply the fixes a bit later in the week when I have time to do so, and will let you know the results.  It looks very promising.
Chris
Chris - any update? Did this solve your problem? I realize it was "intermitent" so its hard to give a definite yes, but has it at least not occured since?
Hello Chavous,
The only reason I have not got back to you is that, as you say, the proof of the solution is in the problem NOT reoccurring.  The issue would only happen lets say 1 in 10 reboots, and you will understand that servers do not get rebooted very often - maybe once in every two or three weeks.  The issue had not reoccurred on any of my servers over the past week even prior to the fix being applied.  I was reluctant to post as a 'solution' without being reasonably sure that it was.
But I am very confident that it will be a fix, because it is a completely plausible explanation for the random nature of this event.  Having only just applied the fix, I will leave it just a little longer before posting as a solution. Many thanks again for your help - I am very grateful.
Chris
Reason I asked... I actually had a server experiencing this about a day before you posted your question, and the problem hasn't happened again for me either since applying this, but being intermitent, i'm basically having to cross my fingers and hope.
Avatar of mohjg
mohjg

I have same issue, I have added reserved ports.  
Thanks for your help on this.  Chris
Awesome fix.  I had the same problem with this patch.  IPSEC wouldn't start and AUTD stopped pushing email to our field phones.  Major headache!!!!  I applied the fix from chavousc and so far no problems with AUTD or IPSEC!

Thanks a ton.
Thank you for this solution...IPSEC was my problem....intermittant block.
Thx ,  IPSEC problem , now solved.
Try giving modify permissions to the user group in c:\system32\spool older worked for me after 2 days trying to find a solution.