|
|
Our Hot Pick: Rising Antivirus 2006 - Certified by TUV & Checkmark! Get 10% discount by entering this coupon code: ONDISCOUNT10
I have an IPSec policy applied to my DCs via GP (defaul domain controller
policy). The RSoP on two DCs indicate that the policy is there and applied.
However, 'netsh ipsec static show policy all' shows the policy on one but not
the other! This is in line with what the servers are doing - the one that
shows the DC policy in the netsh command is blocking the traffic I want but
the one that doesn't show it in netsh is not blocking the traffic it should.
So why do the RSoP say that the policy is there and applied and there are no
errors that I can find when policy is, in fact, not applied?
Troubleshooting IPSec is soooooo painful!!!
|
|
It's possible that you're hitting an issue with policy download/application.
RSoP should be saying that the policy is assigned. The expectation is that
all assigned policy is properly applied, however it doesn't sound like
that's happening for on of your machines.
As an initial troubleshooting step, do a 'gpupdate /force' on the machine
missing policy, then check the event logs to see if there were any group
policy download errors. I'd start with anything dealing with UserEnv. Also
look to see if there were any policy application errors from PolicyAgent or
maybe GPTExt
--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.
"db" <db[ at ]discussions.microsoft.com> wrote in message
news:8A10D508-279F-4DEA-BA75-F8E58A70938D[ at ]microsoft.com...
[Quoted Text] >I have an IPSec policy applied to my DCs via GP (default domain controller
> policy). The RSoP on two DCs indicate that the policy is there and
> applied.
> However, 'netsh ipsec static show policy all' shows the policy on one but
> not
> the other! This is in line with what the servers are doing - the one that
> shows the DC policy in the netsh command is blocking the traffic I want
> but
> the one that doesn't show it in netsh is not blocking the traffic it
> should.
>
> So why do the RSoP say that the policy is there and applied and there are
> no
> errors that I can find when policy is, in fact, not applied?
>
> Troubleshooting IPSec is soooooo painful!!!
|
|
Thanks for the info David. Here's what I got back...
gpupdate /force
EvntID: 1704 - Security policy in the Group policy objects has been applied
successfully.
The GPText.log was somewhat cryptic but it didn't seem like anything was
wrong.
PolicyAgent - Where would I check this?
Thanks again for your help!
db
"David Beder [MSFT]" <dbeder[ at ]online.microsoft.com> wrote in message
news:%23ec3x6ZqHHA.264[ at ]TK2MSFTNGP06.phx.gbl...
[Quoted Text] > It's possible that you're hitting an issue with policy
> download/application.
> RSoP should be saying that the policy is assigned. The expectation is that
> all assigned policy is properly applied, however it doesn't sound like
> that's happening for on of your machines.
>
> As an initial troubleshooting step, do a 'gpupdate /force' on the machine
> missing policy, then check the event logs to see if there were any group
> policy download errors. I'd start with anything dealing with UserEnv. Also
> look to see if there were any policy application errors from PolicyAgent
> or maybe GPTExt
>
>
> --
> David
> Microsoft Windows Networking
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "db" <db[ at ]discussions.microsoft.com> wrote in message
> news:8A10D508-279F-4DEA-BA75-F8E58A70938D[ at ]microsoft.com...
>>I have an IPSec policy applied to my DCs via GP (default domain controller
>> policy). The RSoP on two DCs indicate that the policy is there and
>> applied.
>> However, 'netsh ipsec static show policy all' shows the policy on one but
>> not
>> the other! This is in line with what the servers are doing - the one that
>> shows the DC policy in the netsh command is blocking the traffic I want
>> but
>> the one that doesn't show it in netsh is not blocking the traffic it
>> should.
>>
>> So why do the RSoP say that the policy is there and applied and there are
>> no
>> errors that I can find when policy is, in fact, not applied?
>>
>> Troubleshooting IPSec is soooooo painful!!!
>
>
|
|
BTW, even though the event says the policy was applied it's still not.
Server still responds on ports it shouldn't and the IPSec Monitor has
nothing in it - no IKE Policies, no Specific or Generic Filters.
"Dav" <here[ at ]work.com> wrote in message
news:OFYpdGRrHHA.4740[ at ]TK2MSFTNGP02.phx.gbl...
[Quoted Text] > Thanks for the info David. Here's what I got back...
>
> gpupdate /force
> EvntID: 1704 - Security policy in the Group policy objects has been
> applied successfully.
>
> The GPText.log was somewhat cryptic but it didn't seem like anything was
> wrong.
>
> PolicyAgent - Where would I check this?
>
> Thanks again for your help!
>
> db
>
>
> "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com> wrote in message
> news:%23ec3x6ZqHHA.264[ at ]TK2MSFTNGP06.phx.gbl...
>> It's possible that you're hitting an issue with policy
>> download/application.
>> RSoP should be saying that the policy is assigned. The expectation is
>> that all assigned policy is properly applied, however it doesn't sound
>> like that's happening for on of your machines.
>>
>> As an initial troubleshooting step, do a 'gpupdate /force' on the machine
>> missing policy, then check the event logs to see if there were any group
>> policy download errors. I'd start with anything dealing with UserEnv.
>> Also look to see if there were any policy application errors from
>> PolicyAgent or maybe GPTExt
>>
>>
>> --
>> David
>> Microsoft Windows Networking
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "db" <db[ at ]discussions.microsoft.com> wrote in message
>> news:8A10D508-279F-4DEA-BA75-F8E58A70938D[ at ]microsoft.com...
>>>I have an IPSec policy applied to my DCs via GP (default domain
>>>controller
>>> policy). The RSoP on two DCs indicate that the policy is there and
>>> applied.
>>> However, 'netsh ipsec static show policy all' shows the policy on one
>>> but not
>>> the other! This is in line with what the servers are doing - the one
>>> that
>>> shows the DC policy in the netsh command is blocking the traffic I want
>>> but
>>> the one that doesn't show it in netsh is not blocking the traffic it
>>> should.
>>>
>>> So why do the RSoP say that the policy is there and applied and there
>>> are no
>>> errors that I can find when policy is, in fact, not applied?
>>>
>>> Troubleshooting IPSec is soooooo painful!!!
>>
>>
>
>
|
|
I'd check the registry next.
on both machines, check the keys/values under
hklm\software\policies\microsoft\windows\ipsec\ and note any differences.
--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.
"Dav" <here[ at ]work.com> wrote in message
news:uCOyORRrHHA.1200[ at ]TK2MSFTNGP04.phx.gbl...
[Quoted Text] > BTW, even though the event says the policy was applied it's still not.
> Server still responds on ports it shouldn't and the IPSec Monitor has
> nothing in it - no IKE Policies, no Specific or Generic Filters.
>
> "Dav" <here[ at ]work.com> wrote in message
> news:OFYpdGRrHHA.4740[ at ]TK2MSFTNGP02.phx.gbl...
>> Thanks for the info David. Here's what I got back...
>>
>> gpupdate /force
>> EvntID: 1704 - Security policy in the Group policy objects has been
>> applied successfully.
>>
>> The GPText.log was somewhat cryptic but it didn't seem like anything was
>> wrong.
>>
>> PolicyAgent - Where would I check this?
>>
>> Thanks again for your help!
>>
>> db
>>
>>
>> "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com> wrote in message
>> news:%23ec3x6ZqHHA.264[ at ]TK2MSFTNGP06.phx.gbl...
>>> It's possible that you're hitting an issue with policy
>>> download/application.
>>> RSoP should be saying that the policy is assigned. The expectation is
>>> that all assigned policy is properly applied, however it doesn't sound
>>> like that's happening for on of your machines.
>>>
>>> As an initial troubleshooting step, do a 'gpupdate /force' on the
>>> machine missing policy, then check the event logs to see if there were
>>> any group policy download errors. I'd start with anything dealing with
>>> UserEnv. Also look to see if there were any policy application errors
>>> from PolicyAgent or maybe GPTExt
>>>
>>>
>>> --
>>> David
>>> Microsoft Windows Networking
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "db" <db[ at ]discussions.microsoft.com> wrote in message
>>> news:8A10D508-279F-4DEA-BA75-F8E58A70938D[ at ]microsoft.com...
>>>>I have an IPSec policy applied to my DCs via GP (default domain
>>>>controller
>>>> policy). The RSoP on two DCs indicate that the policy is there and
>>>> applied.
>>>> However, 'netsh ipsec static show policy all' shows the policy on one
>>>> but not
>>>> the other! This is in line with what the servers are doing - the one
>>>> that
>>>> shows the DC policy in the netsh command is blocking the traffic I want
>>>> but
>>>> the one that doesn't show it in netsh is not blocking the traffic it
>>>> should.
>>>>
>>>> So why do the RSoP say that the policy is there and applied and there
>>>> are no
>>>> errors that I can find when policy is, in fact, not applied?
>>>>
>>>> Troubleshooting IPSec is soooooo painful!!!
>>>
>>>
>>
>>
>
>
|
|
The setting are the same until I get to Policy.
The server that is behaving correctly has many more entries under Cache and
Local than does the one that's not working. Including the named policy from
the DDC GPO - it's in the cache of of the one that's working and not the one
that isn't.
Does this mean anything to you?
It almost seems like it's not getting the policy even though RSoP says it
is. I did a search in that part of the registry for the policy name and got
nothing back.
db
"David Beder [MSFT]" <dbeder[ at ]online.microsoft.com> wrote in message
news:OLw9WrmrHHA.4108[ at ]TK2MSFTNGP06.phx.gbl...
[Quoted Text] > I'd check the registry next.
> on both machines, check the keys/values under
> hklm\software\policies\microsoft\windows\ipsec\ and note any differences.
>
> --
> David
> Microsoft Windows Networking
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Dav" <here[ at ]work.com> wrote in message
> news:uCOyORRrHHA.1200[ at ]TK2MSFTNGP04.phx.gbl...
>> BTW, even though the event says the policy was applied it's still not.
>> Server still responds on ports it shouldn't and the IPSec Monitor has
>> nothing in it - no IKE Policies, no Specific or Generic Filters.
>>
>> "Dav" <here[ at ]work.com> wrote in message
>> news:OFYpdGRrHHA.4740[ at ]TK2MSFTNGP02.phx.gbl...
>>> Thanks for the info David. Here's what I got back...
>>>
>>> gpupdate /force
>>> EvntID: 1704 - Security policy in the Group policy objects has been
>>> applied successfully.
>>>
>>> The GPText.log was somewhat cryptic but it didn't seem like anything was
>>> wrong.
>>>
>>> PolicyAgent - Where would I check this?
>>>
>>> Thanks again for your help!
>>>
>>> db
>>>
>>>
>>> "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com> wrote in message
>>> news:%23ec3x6ZqHHA.264[ at ]TK2MSFTNGP06.phx.gbl...
>>>> It's possible that you're hitting an issue with policy
>>>> download/application.
>>>> RSoP should be saying that the policy is assigned. The expectation is
>>>> that all assigned policy is properly applied, however it doesn't sound
>>>> like that's happening for on of your machines.
>>>>
>>>> As an initial troubleshooting step, do a 'gpupdate /force' on the
>>>> machine missing policy, then check the event logs to see if there were
>>>> any group policy download errors. I'd start with anything dealing with
>>>> UserEnv. Also look to see if there were any policy application errors
>>>> from PolicyAgent or maybe GPTExt
>>>>
>>>>
>>>> --
>>>> David
>>>> Microsoft Windows Networking
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>>
>>>> "db" <db[ at ]discussions.microsoft.com> wrote in message
>>>> news:8A10D508-279F-4DEA-BA75-F8E58A70938D[ at ]microsoft.com...
>>>>>I have an IPSec policy applied to my DCs via GP (default domain
>>>>>controller
>>>>> policy). The RSoP on two DCs indicate that the policy is there and
>>>>> applied.
>>>>> However, 'netsh ipsec static show policy all' shows the policy on one
>>>>> but not
>>>>> the other! This is in line with what the servers are doing - the one
>>>>> that
>>>>> shows the DC policy in the netsh command is blocking the traffic I
>>>>> want but
>>>>> the one that doesn't show it in netsh is not blocking the traffic it
>>>>> should.
>>>>>
>>>>> So why do the RSoP say that the policy is there and applied and there
>>>>> are no
>>>>> errors that I can find when policy is, in fact, not applied?
>>>>>
>>>>> Troubleshooting IPSec is soooooo painful!!!
>>>>
>>>>
>>>
>>>
>>
>>
>
>
|
|
|