Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
2
Replies

ipsec? Could be a problem?

wmaruya
Level 1
Level 1

‎01-22-2003 05:53 PM - edited ‎02-21-2020 12:18 PM

I have a site to site vpn ipsec tunnel established. I can connect to the server on the other side of the tunnel. When i logon to the domain, logon takes 10 min then times out. I get an error saying that the authenticating server could not establish a secure connection. This is a windows 2000 domain and the clients are windows xp. The first question , can kerberos go through the ipsec tunnel. and if so do i need to make any configurations on my pix. Is there any other configuration that I need to do? This is kind of funny because I can join the domain but not logon to it. I know dns is ok because nslookup says so.

Any thoughts?

Thanks in advance

Labels:
0 Helpful
2 Replies 2

thult
Level 1
Level 1

‎01-26-2003 03:15 PM

This could be a fragmentation problem. Kerberos traffic normally use UDP, and sometimes when logging in with a user that holds a lot of rights in the AD or doing a lot of AD or Exchange replications the packets can get near 1500 bytes.

When adding encryption portions to the packets some times it can have to be fragmented.

As some equipment (some routers...) does not allow for fragmented UDP packets to pass, they will simply drop those packets.

Another scenario would be if the receiving equipment receives the fragmented UDP packet #2 before #1. It would then also drop the packets.

The soloution would be one of the following:

Lower the MTU of the outside interface (1400 or lower)

Change the MTU of the NICS in your DC.

Change Kerberos to use TCP instead of UDP.

Here are some links to check:

Ports that need to be open for AD-replication

http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Some other information:

Q224196 Restricting Active Directory Replication Traffic to a Port

http://support.microsoft.com/support/kb/Articles/q224/1/96.asp

Q233256 How to Enable IPSec Traffic Through a Firewall

http://support.microsoft.com/support/kb/Articles/q233/2/56.asp

Q254728 IPSec Does Not Secure Kerberos Traffic Between DCs

http://support.microsoft.com/support/kb/Articles/q254/7/28.asp

Hope this helps

//Tomas

0 Helpful

rbrenac
Level 1
Level 1
In response to thult

‎02-02-2003 04:47 PM

It's difficult to suggest a solution when the problem isn't clear... Try running some debugs on the routers or firewalls in your network. The output from will help determine the problem.

cheers,

robert

0 Helpful
Customers Also Viewed These Support Documents