IPSEC Policy missing from registry.
Unable to ping PBX (M1) from CallPilot
Problem Description:
CallPilot ELAN comes up at start of boot and then drops. After that, the CallPilot cannot ping out or in. CallPilot can ping its own IP but nothing else. The following error is seen:
9/25/2006 11:10:22 AM NGen Error Critical 40592 N/A ANCCALLPILOT Event from Fault Management Service[IPSec] : Event from , Event: ID= 4292, Description: The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer. For detailed troubleshooting information, review the events in the Security event log.
Cause of Problem:
The IPSec driver has entered Block mode. IPSec discards all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. A corrupted file in the policy store causes this problem. An interruption that occurs when the policy is being written to the disk can cause the corruption.
Problem Resolution:
1. Back up the registry before you modify it. Ensure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, search for kb article 256986 to view the article in the Microsoft Knowledge Base at www.microsoft.com.
2. Serious problems can occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems could require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To resolve this issue, delete the following registry subkey and then rebuild the policy:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Local
Perform the following steps:
1. Delete the local policy registry subkey. To do this, follow these steps:
a. Click Start, click Run, type regedit, and then click OK.
b. In Registry Editor, locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
c. On the Edit menu, click Delete.
d. Click Yes to confirm that you want to delete the subkey.
e. Quit Registry Editor.
2. Rebuild a new local policy store. To do this, click Start, click Run, type
regsvr32 polstore.dll
, and then click OK.
Limitations:
This workaround applies only for Window 2003 systems
Correction:
Once the local policy store has been restored, corrective content to prevent further
occurrences has been added to Service Updates:
- CP40404SU04S - If you are on Rls. 4 and below, please install the update at the next available maintenance window.
- CP50041SU02S - If you are on Rls. 5 and below, please install the update at the next available maintenance window.
Any subsequent Service Update PEPs will contain the fix.
UPDATE: IPSec and Firewalls:
To make IPSec work through firewalls, open UDP port 500 and permit IP protocol numbers 50 and 51 on both inbound and outbound firewall filters.
- UDP Port 500 should be opened to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded.
- IP protocol ID 50 should be set to allow IPSec Encapsulating Security Protocol (ESP) traffic to be forwarded.
- IP protocol ID 51 should be set to allow Authentication Header (AH) traffic to be forwarded.