Monthly Archives: July 2011

Can ping server while it boots, but ping fails after start – IPSEC service loading issue.

Have seen this problem more than 10 times, but last night it was the first on a hyper v hosted w2k3 machine.
You may ping the machine while it boots but it fails after it goes on the ctrl+alt+del.  A message for a failed service comes up and when you log in no network connectivity is present. 
As a matter of fact, the NIC works perfect, looks connected, packets come and go, but no ping in and out the machine!
This is due to a Microsoft update that I am currently in the process of finding it, that actually damages the policy concerning the IPSEC service.
I tried to understand if there was a problem with the nics. I revealed all hidden devices by running (admin privileges for w2k8) on command prompt:
set devmgr_show_nonpresent_devices=1
and then showed device manager by
start devmgmt.msc
After View>Show hidden devices
and removed all older nic driver installations that I did not need to.
Unfortunately this was not the case…. This issue is dealt FAR EASIER! If you examine carefully your event viewer you may find that there is something wrong with your IPSEC service, which apparently should appear with Automatic start, but not started on your services. You fire up your services console and disable the IPSEC service. Reboot your server and after it boots all network connections will have been restored.
It is likely that if you try to start the IPSEC service again (which is highly recommended for corporate environments) it will fail saying that it didn’t find the file needed.
You may find a good workaround on the link below

, but a simple
“regsvr32 polstore.dll”
(Without quoteon my command prompt did the job I needed. It actually repairs the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\IPsec\Policy\Local as the above article describes.

Change back the service from disabled to automatic and it should start if you try it manually. Make a reboot and check again. This worked for me, hope it does for you and go back home earlier than you expected!

Have a good day 🙂


VPN network problems on multigateway infrastructures

Many people ask me about VPN network problems that they face, when they have multigateway environments in their infrastructure. So I decided to share some of my experience on this.
Let’s have a simple scenario,  showed on the sketch below.
Some VPN users connect through VPN (IPsec, L2TP etc) to your local LAN and use some of your internal apps. The problem some of us have faced in the past, is the fact that they can reach some servers, but they cannot reach some others, or they may ping (reach a server) but somehow the application they use does not work they way it supposed to. This may happen due to different gateways. For example, I have a FreePBX supporting my internal lan for VOIP apps, and this server has a gateway of eg. The internal DHCP addresses clients to gateway If VPN clients -having served their IP needs through that DHCP- they will never be able to register their account on the PBX.
The reason is simple when you put things down in pen and paper…
The packet that leaves the VPN computer/device and has a header of the ip/name of the server hosting the application will reach the server. But the server having a different gateway than the one the VPN client has will never post his response to the client. And that’s because it sends its response packet through another way –gateway to be exact!
So if you want to avoid this you should carefully design your DHCP server according to the gateways your services servers have and your external clients as well.
This may also happen when you have an Exchange server with gateway on one ISA, but is published through another ISA. You may access your OWA/OMA/Activesync only when your Exchange has as gateway the ISA that publishes his services.
I had a discussion with a colleague on that and we suggested putting a second NIC in order our server to have both gateways. Multiple gateways though may cause other problems, sometimes not seen directly… From my point of view you should check your actual needs and infrastructure prior going to such a solution.
Have a good day with less IT issues J
%d bloggers like this: