If you can't find what you need using the site search on the toolbar above, or if you need more detailed help or just need to be pointed in the right direction, post your question to the newly opened kadaitcha.cx forums. Membership is free.

Troubleshoot VPN, L2TP & IPSec

This page deals with VPN troubleshooting. You can find other network troubleshooting resources here:

How to configure a VPN connection to your corporate network in Windows XP Professional

This step-by-step article describes how to configure a virtual private network (VPN) connection to your corporate network in Microsoft Windows XP Professional. A VPN connection is a connection that uses both private and public networks to create a network connection.
How to configure a connection to a virtual private network (VPN) in Windows XP

This step-by-step article describes how to create a new VPN connection in Microsoft Windows XP.
How to Disable NetBT Proxy on Incoming Connections

By default, Netbios Proxy is enabled for incoming Remote Access Service (RAS) or virtual private network (VPN) connections on Windows XP and Windows Server 2003-based systems. This setting permits RAS clients to resolve the Netbios name on the local area network (LAN) that the RAS client is connected to. If you run the Ipconfig /all command from the command shell on the computer that is configured as the RAS or VPN server, this returns the information that the WINS Proxy Enabled value is set to Yes. In some cases, you may want to disable this setting.
How to Configure Windows XP ICS for an Internal PPTP Server

Windows XP includes support for Internet Connection Sharing (ICS), which provides the ability to share an internet connection with other computers on a local network. ICS in Windows XP allows services to be mapped to hosts on the internal network, so that requests coming from the internet and destined for a particular service will be redirected by Windows XP to the appropriate computer on the internal network.

For example, you may want to place a Point-to-Point Tunnelling Protocol (PPTP) server on the internal network and configure Windows XP ICS to forward the Virtual Private Networking (VPN) traffic to the PPTP server. This article describes the process that is required to map PPTP back to an internal host, so that an incoming VPN connection can pass through the Windows XP ICS computer. For the purposes of this article, it is assumed that the PPTP server is already configured properly and is able to accept PPTP connections from clients on the local network.
 
How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000

The Windows Kerberos authentication package is the default authentication package in Microsoft Windows Server 2003, in Microsoft Windows XP, and in Microsoft Windows 2000. It coexists with the NTLM challenge/response protocol and is used in instances where both a client and a server can negotiate Kerberos. Request for Comments (RFC) 1510 states that the client should send a User Datagram Protocol (UDP) datagram to port 88 at the IP address of the Key Distribution Center (KDC) when a client contacts the KDC. The KDC should respond with a reply datagram to the sending port at the sender's IP address. The RFC also states that UDP must be the first protocol that is tried.

A limitation on the UDP packet size may cause the following error message at domain logon:

Event Log Error 5719
Source NETLOGON

No Windows NT or Windows 2000 Domain Controller is available for domain Domain. The following error occurred:

There are currently no logon servers available to service the logon request.


Additionally, the Netdiag tool may display the following error messages:

Error message 1

DC list test........... : Failed [WARNING] Cannot call DsBind to
COMPUTERNAMEDC.domain.com (159.140.176.32).
[ERROR_DOMAIN_CONTROLLER_NOT_FOUND]


Error message 2
Kerberos test........... : Failed [FATAL] Kerberos does not have a ticket for
MEMBERSERVER$.]


The Windows XP event logs which are symptoms of this issue are SPNegotiate 40960 and Kerberos 10.

By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.
How to use a Handheld PC or a Pocket PC as a Mobile Terminal

Increasingly, users of wireless mobile devices require access to the functionality of their desktop computers. Windows XP and Windows 2000 permit you to do this. By using the Handheld PC or the Pocket PC, you can connect to an application server and run programs just as if you were sitting at the server computer itself. Connections to application servers can be made across wireless local area networks (LANs), or across the Internet by using virtual private networking (VPN).
How to Share a PPPoE Internet Connection with Windows XP

You can use the Windows XP Internet Connection Sharing (ICS) feature for network and dial-up connections to connect your home network or your small-office network to the Internet. For example, you may have a home network in which a Windows XP-based computer connects to the Internet by using a PPPoE broadband connection. If you enable ICS on the computer that uses the PPPoE connection, you can provide network address translation (NAT), addressing, and name resolution services for all of the computers on your network.

If your home office users need to gain access to a corporate network that is connected to the Internet by a tunnel server, the users need to create a virtual private network (VPN) connection to tunnel from the computer on the ICS network to the corporate tunnel server on the Internet. The VPN connection is authenticated and secure, and creating the tunnelled connection allocates proper IP addresses, DNS server addresses, and WINS server addresses for the corporate network.
List of Third-Party VPN Clients That Are Blocked From Being Installed on a Windows XP-Based Computer

The following VPN client programs are blocked from being installed on a Windows XP-based computer. Note that a hardblock indicates that an upgrade from a previous operating system to Windows XP will be blocked until the client program is uninstalled. A softblock indicates that upgrades will not be blocked, but the installation of the client on a Windows XP-based computer will not be allowed:
  • Cisco 3000 client
    • Version 2.5.2 - Hardblocked
    • Version 3.0.2 - Hardblocked
  • Cisco 5000 client
    • Version 4.0.2.18 - Softblocked
    • Version 5.0.0.12 - Softblocked
  • Nortel Extranet Access Client
    • Versions 2.62d/i - Hardblocked
    • Version 3.70 - Hardblocked
How To Change the Default Maximum Transmission Unit (MTU) Size Settings for PPP Connections or for VPN Connections

This step-by-step article describes how to edit the registry to change the default maximum transmission unit (MTU) size settings for Point-to-Point Protocol (PPP) connections or for virtual private network (VPN) connections.
How To Configure a Preshared Key for Use with Layer Two Tunnelling Protocol Connections in Windows XP

This article discusses how to configure a preshared key using the Layer Two Tunnelling Protocol (L2TP).
VPN Client in Windows XP Disconnects After One Minute

After you install Service Pack 1 (SP1) for Windows XP, your computer may drop virtual private network (VPN) connections that are using Point-to-Point Tunneling Protocol (PPTP) after about 55 seconds.
Cannot Install CISCO VPN Client on Windows XP

You may be unable to install the Cisco virtual private network (VPN) client on your Windows XP-based computer.
Your VPN connection is disconnected after several minutes in Windows XP

If you are using an external firewall device or a network address translation (NAT) device on a Microsoft Windows XP-based computer, and you establish a virtual private network (VPN) connection, the VPN connection may be disconnected after about five minutes.
Error Message: VPN Connection Error 800: Unable to Establish Connection

When you try to establish a virtual private network (VPN) connection, you may receive the following error message:

Error 800: Unable to establish connection
You cannot establish a VPN connection by using a dial-up connection on a Windows XP-based computer

Consider the following scenario:
  • You try to establish a virtual private network (VPN) connection by using a dial-up connection on a Microsoft Windows XP-based computer.
  • The Windows XP-based computer uses a Cisco VPN client.
  • The Windows XP-based computer uses a security solution that implements an intermediate driver by using a custom filter class. For example, the computer may use a security solution such as Senforce Enterprise Mobile Security Manager.
In this scenario, the VPN client cannot establish the connection and stops responding.
Poor Sound Quality in Windows Messenger over a VPN Connection

You may experience poor sound quality in Microsoft Windows Messenger when you use this component over a virtual private network (VPN) connection.
You May Not Be Able to Log On to the Domain with VPN If a Winsock Proxy Is Enabled

You may not be able to log on to your domain by using a virtual private network (VPN) if you have the Microsoft Proxy 2.0 client or the Microsoft Internet Security and Acceleration (ISA) Server 2000 client installed, and the proxy server can be reached only by using the VPN connection.

This behavior occurs only if you refer to the VPN server by a Domain Name System (DNS) name instead of by the IP address when you create the VPN connection.
Custom Connection Manager Dial-up Dialer Will Not Work After Custom VPN Dialer Is Used

When you use Connection Manager Administration Kit (CMAK) to create a custom dial-up Connection Manager dialer and a custom virtual private network (VPN) Connection Manager dialer, and you use both dialers on one computer, the dial-up Connection Manager will not work after the VPN Connection Manager dialer has been used.
List of Error Codes for Dial-up Connections or VPN Connections

This article lists the error codes that you may receive when you use Windows 2000, Windows XP, or Windows Server 2003 as a client computer to make a dial-up connection or a VPN connection.

Note: Error codes with numbers higher than 900 will only be seen if you are trying to connect to a Routing and Remote Access Server that is running Windows 2000 or later.
You receive a "Stop: 0x000000D1" error message after you establish a VPN connection

After you establish a virtual private network (VPN) connection, your computer stops responding unexpectedly. You receive the following Stop error message:

STOP: 0x000000D1 (0x00000020, 0x00000002, 0x00000000, 0xf5bf0f68)
You may be disconnected when you connect a Windows XP-based computer to a remote server through a VPN, and you use an external firewall device or a NAT device

When you connect your Microsoft Windows XP-based computer to a remote server through a virtual private network (VPN) connection, and you use an external firewall device or a network address translation (NAT) device, you may be disconnected after about five minutes.
You Cannot Use Fast User Switching After You Install Cisco Systems VPN Dialer Program

After you install the Cisco Systems VPN Dialer program, you can no longer use the Fast User Switching feature in Microsoft Windows XP. If you try to turn on Fast User Switching, you receive a message stating that a program used CSGina.dll to disable the Fast User Switching and the Windows Welcome screen features.
VPN Client Cannot Establish a Connection After You Install a Service Pack

When you try to establish a virtual private network (VPN) connection from your Windows XP or Windows 2000 PPTP client to your corporate network, the connection may not work, and you may receive the following error message:

Error 721: Remote PPP peer is not responding
Error Message "Error 623: The System Could Not Find the Phone Book Entry for This Connection" When You Try to Make a VPN Connection

When you try to connect a virtual private network (VPN) connection in Network Connections, you may receive the following error message:

Error 623
The system could not find the phone book entry for this connection.

You receive a "741" or a "742" error message when you try to establish a VPN connection by using L2TP/IPsec from a Windows client computer to a VPN server

You experience one of the following symptoms when you try to establish a virtual private network (VPN) connection by using "Layer Two Tunnelling Protocol with IPSec" (L2TP/IPsec) from a Windows client computer to a VPN server.

Symptom 1
The Windows client computer is running Microsoft Windows XP, Microsoft Windows Server 2003, or Microsoft Windows 2000, and you try to connect to a VPN server that is running Windows Server 2008 or Windows Vista. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:

741 The local computer does not support encryption.

Symptom 2
The Windows client computer is running Windows Server 2008 or Windows Vista, and you try to connect to a VPN server that is running Windows XP, Windows Server 2003, or Windows 2000. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:

742 The remote server does not support encryption.
You may be unable to access the network when name resolution is performed through a VPN connection on a Windows XP-based or on a Windows Server 2003-based client computer

On a Windows XP-based or on a Windows Server 2003-based client computer, you try to connect to a virtual private network (VPN) server. The connection is successful. However, when name resolution is performed through the VPN connection, you may be unable to access the network.

This problem may occur randomly if the following conditions are true:
  • You update the routing table of the VPN client.
  • When you update the routing table, you configure the scope of the Dynamic Host Configuration Protocol (DHCP) server to use option 249 in the network environment.
You may be unable to use a Nortel VPN client and IPSec at the same time in Windows XP or in Windows 2000

You may be unable to use the following components at the same time in Microsoft Windows XP or in Microsoft Windows 2000:
  • A Nortel virtual private network (VPN) client
  • The Internet Protocol security (IPSec) implementation that is built into both Windows XP and Windows 2000
In this situation, you cannot use a VPN tunnel to access resources on an enterprise network on which Domain and Server Isolation policies are deployed.
You may be unable to use a Cisco VPN client and IPSec at the same time in Windows XP or in Windows 2000 or in Windows Server 2003

You may be unable to use the following components at the same time in XP, in Microsoft Windows 2000, or in Microsoft Windows Server 2003 Standard Edition with Service Pack 1 (SP1):
  • A Cisco virtual private network (VPN) client
  • The Internet Protocol security (IPSec) implementation that is built into Windows XP, Windows 2000, and Windows Server 2003
In this situation, you cannot use a VPN tunnel to access resources on an enterprise network on which Domain and Server Isolation policies are deployed.
After you connect a Windows XP-based computer to the Routing and Remote Access Services server through a virtual private network (VPN) connection, the computer cannot establish more than 32 static routes

Considering the following scenario:
  • On a Windows XP-based client computer, you connect the computer to the Routing and Remote Access Services server through a virtual private network (VPN) connection.
  • You use a Dynamic Host Configuration Protocol (DHCP) server to provide classful static routes for the VPN client computer by configuring the 249 DHCP scope option.
  • You have configured more than 32 routes together with the corresponding 24-bit subnet masks.
In this scenario, the VPN connection is established successfully. However, only 32 routes are added into the routing table on the Windows XP-based VPN client computer. Therefore, you cannot access some network resources.
You may be unable to use an AT&T Global Network VPN client and IPsec at the same time in Windows XP or in Windows 2000

You may be unable to use the following components at the same time in Microsoft Windows XP or in Microsoft Windows 2000:
  • A version of AT&T Global Network virtual private network (VPN) client that is earlier than version 6.7
  • The Internet Protocol security (IPSec) implementation that is built into both Windows XP and Windows 2000
In this situation, you cannot use a VPN tunnel to access resources on an enterprise network on which Domain and Server Isolation policies are deployed.
Windows XP SP2-based VPN or dial-up client cannot access remote resources

You connect a Microsoft Windows XP Service Pack 2 (SP2)-based computer to a remote access server by using a virtual private network (VPN) or a dial-up connection. Then you cannot access any remote resources.
Drive Letters of Mapped Network Drives Are Missing in Windows Explorer

You may find that mapped drive letters to shared network folders are missing in Windows Explorer when you use the Work online without synchronizing changes over a virtual private network (VPN) connection.
You receive an "Error 792" error message and you cannot connect to a node in a Windows Server 2003 Network Load Balancing cluster by using a VPN connection in Windows XP

When you try to connect to a Microsoft Windows Server 2003 Network Load Balancing cluster by using a virtual private network (VPN) connection, you may temporarily not be able to connect to a node in the server cluster. You may receive the following error message:

Error 792
Only the Offline Files Are Displayed When You Use a Remote Access or Virtual Private Network Connection

When you connect to a network by using either a remote access or virtual private network (VPN) connection, you can browse the network and you can ping servers and receive a reply, but if you try to view the shared resources on a server, you can observe only the files that have been made available offline.

Also, the icon in the bottom right corner of the screen indicates that you are offline.

If you disable offline caching on the client computer, and then connect by means of either a remote access or VPN connection, all the files are visible.
You receive a Stop error when network traffic is initiated and a filter driver is loaded

You may receive a "0x000000c1" or a "0x000000c2" Stop error message when network traffic is initiated and a filter driver is loaded. For example, this error may occur when you are using firewall software or virtual private network (VPN) software in the following situations:
  • You connect a wireless network adapter by using 802.1X authentication
  • Your firewall is using a filter driver
  • You try to use Microsoft NetMeeting over a VPN connection
Members of the Network Configuration Operators group cannot create a new connection for all users in Windows XP

Consider the following scenario:
  • You are running Microsoft Windows XP.
  • You try to create a new connection for a virtual private network (VPN), for a remote access connection, or for a broadband connection. You want this connection to be available to all users.
  • To create the new connection, you use an account that is a member of the Network Configuration Operators group.
In this scenario, you find that the Anyone's use option is not available. The option appears dimmed in the New Connection Wizard, and you cannot make the new connection available for all users.
"Error 619" or "Error 645" error message when you attempt to connect to a Routing and Remote Access server

When you attempt to connect to a Microsoft Windows NT 4.0 or Microsoft Windows 2000-based Routing and Remote Access server through a dial-up or virtual private network (VPN) connection, you may receive one of the following error messages:

Error 619, "The port was disconnected."

Or

Error 645, "Dial-Up Networking could not complete the connection to the server."
The system cannot log you on now because the domain <DomainName> is not available

If you log on with cached credentials (for example, you establish a Virtual Private Network (VPN) connection to your corporate network) and you try to connect to a network resource, you may receive the following error message and you are continuously prompted for your user name and password:

The system cannot log you on now because the domain DomainName is not available.
The DNS search order is reversed on the DHCP client in Windows 2000 and Windows XP

When you use a dial-up or a virtual private network (VPN) connection to connect to a Routing and Remote Access server, the list of Domain Name System (DNS) servers is stored on the client computer in reverse order.

For example, when you connect to the Routing and Remote Access server, Dynamic Host Configuration Protocol (DHCP) sends the DNS IP addresses in the preferred order:

10.200.200.200
10.201.201.201


However, if you view the TCP/IP protocol properties on the client computer, the DNS IP addresses appear in the following order:

10.201.201.201
10.200.200.200

Error 720: No PPP Control Protocols Configured

When you attempt to connect to a Remote Access Service (RAS) server by using the TCP/IP protocol, you may receive the following error message:

Error 720: No PPP control protocols configured.
Computers that are offline are still resolved as online when you ping them

When you use the ping command to ping a client by name, that client name may be resolved and an IP address is returned although the client computer is offline.

This behaviour occurs when virtual private network (VPN) clients, such as Microsoft Windows XP-based computers, register records with the WINS server when they connect. When the VPN client disconnects, the client does not mark the WINS records as released. Multiple VPN clients can end up registered in WINS with the same IP address. When this behaviour occurs, if you ping a client that is offline by name, WINS resolves the name and returns the IP address of another client that now has that IP address.
Cannot Change the Binding Order for Remote Access Connections

You may experience a problem after you change the binding order for [Remote Access connections] by moving it to the top of the connections list. You would do so in the Advanced Settings dialog box of the Network and Dial-up Connections tool. After you do so, network utilities that resolve host names by using the Domain Name Service (DNS) server that is associated with a dial-up networking connection, do not default to the DNS server that is associated with the dial-up connection. NSLookup is an example of a network utility that resolves host names by using the Domain Name Service (DNS) server that is associated with a dial-up networking connection.

This symptom occurs although you expect the network utility to use as the default DNS server that is associated with the network device that has the highest binding order in the list of network connections.

Note This symptom may also occur with Virtual Private Networking (VPN) connections. A client computer may not use the DNS server from a VPN connection if the default gateway is set to the remote connection.
You may receive the "The keyset is not defined" error message when the provider name of a CSP contains extended characters

If you try to establish a virtual private network (VPN) connection by using a smart card where the provider name of a custom Cryptographic Service Provider (CSP) contains extended characters, you may receive the following error message:

Error 0x80090019: The keyset is not defined
You Cannot Use Outlook 2003 over the Internet by Using Your User Principal Name (UPN)

After you log on to a network over the Internet and then start Microsoft Office Outlook 2003, if you click Send/Receive or if Outlook 2003 automatically checks for new e-mail messages, you are prompted to reenter your Microsoft Exchange server name and your user account name.

If you try to verify your account name, you receive the following error message:

The name could not be resolved. Operation failed.

After you close the error message, Outlook 2003 still tries to process the Send/Receive request and then abruptly quits, and you receive the error code 0x8004011c.

This problem occurs if the following conditions are true:
  • You use virtual private network (VPN) or remote procedure call/Hypertext Transfer Protocol (RPC/HTTP) to log on
  • You use your user principal name (UPN) in the form of user_name@domain.com
Error message when you start Windows XP after you upgrade from an earlier version of Windows: "Your system is low on virtual memory"

When you first start Windows XP after you upgrade from an earlier version of Windows, you may receive the following error message:

Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied.

If you click OK, you may receive an error message that resembles the following error message:

The application failed to initialize properly. 0xc0000017

When you try to run Windows, you may also receive other error messages that resemble the following error message:

IEXVCES.EXE
The exception unknown software exception (0xc00000fd) occurred in the application at location 0x01ac5937.


You do not receive these error messages when you start Windows in safe mode.
PPTP clients cannot connect to a PPTP server that has multiple IP addresses

When you connect to a Point-to-Point Tunnelling Protocol (PPTP) server from a PPTP client computer, the connection may not succeed, and you may receive one of the following error messages, depending on the version of Microsoft Windows that you are running:

Error 650: The Remote Access server is not responding

Error 721: Remote PPP peer is not responding

Error 629: The port was disconnected by the remote machine.

Error 678: There was no answer

Users cannot negotiate a connection when a remote access policy forces them to use L2TP

When you create a remote access policy that forces some remote users to log on the network by using a Layer-2 Tunnelling Protocol (L2TP) connection, they cannot connect to the remote access server.
CPU usage may reach 100 percent when you resume a computer that is running Windows XP from standby multiple times

Fixes a problem that may occur if you have an "Incoming Connections" network connection defined. Provides a hotfix to resolve the problem. You must have Windows XP Service Pack 2 installed to apply the hotfix.
A Connection Manager Connection Does Not Connect After Being Disconnected

After you disconnect from a virtual private network (VPN) connection that was created by using Connection Manager, you cannot connect again if you are not a member of the local Administrators group. This behavior affects connections that dial the Internet and then create a VPN connection. In the Network Connections window, the icon shows that the connection is in the Disconnecting state.
Basic L2TP/IPSec Troubleshooting in Windows XP

This article provides information to help you troubleshoot Layer 2 Tunnelling Protocol (L2TP) and Internet Protocol Security (IPSec) in Windows XP.
IPSec default exemptions can be used to bypass IPSec protection in Some Scenarios

The Internet Protocol Security (IPSec) feature in Windows 2000, Windows XP and Windows Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering by using address, protocol and port information in network packets.

[...]

As IPSec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, the affect [sic] of these default exemptions has not been fully understood. Because of this, some IPSec administrators may create IPSec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions.

kadaitcha.cx translation: "We made a lot of wild guesses and stuffed up."

Microsoft strongly recommends that network administrators take the steps in this article to remove the default exemptions to IPSec.
My Network Places "net crawler" functionality

Crawling is prevented in the following circumstances:
  • If more than 10 computers with shared resources are detected; in this case, no shortcuts are created.
  • When you are using Dial-Up Networking (DUN) or virtual private network (VPN) connections.
  • After the Automatically search for network folders and printers check box is cleared in the Folder Options dialog box in My Network Places.
  • The feature is turned off by a policy (registry key).
How to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information

This article describes how to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information on source and destination computers. You can use this information to troubleshoot performance issues that you may experience during the file copy process.

If the client computer accesses the destination file server over a virtual private network (VPN) connection, the virtual interface that is created on the client computer must be monitored to see file copy traffic.
A VPN client computer that is running Windows XP or Windows Server 2003 may be unable to access resources on the remote network

When a computer that is running Windows XP or Windows Server 2003 tries to set up a VPN connection to a remote network, the connection is set up successfully. However, the computer may be unable to access the resources on the remote network.

This problem occurs when the remote network's Dynamic Host Configuration Protocol (DHCP) server uses the 249 Classless Static Routes DHCP scope option.
Delays Occur When Establishing Point-to-Point Tunnelling Protocol Connection with a Connection Manager Administration Kit Profile

When you attempt to establish for the first time a Point-to-Point Tunnelling Protocol (PPTP) connection by means of a Connection Manager profile, you may experience a significant delay before you are able to connect, or you may be unable to connect.
You cannot log on after you correctly change your logon credentials

After you change your password, you cannot access the workstation if you log off and then try to log on again. This problem occurs after you log on to a workstation that contains cached credentials (password and domain), then change your domain password while you are connected to the domain by using a dial-up or a VPN connection, then log off, and then log on again. However, if you turn off the Automatically use my Windows logon name and password option, you can log on to the workstation.
A program may run very slowly if the network connection to your home folder is slow in Windows Server 2003 or in Windows XP

When you start a program in Microsoft Windows Server 2003 or in Microsoft Windows XP, the program may run very slowly if the following conditions are true:
  • You start a program that does not have a Start in property.
  • The network connection to the mapped network share that contains your home folder is slow.
Additionally, when you log on to the computer, the logon process may be slower than expected if the following conditions are true:
  • The client computer must look for system DLL files in your home folder.
  • The network connection to the mapped network share that contains your home folder is slow.
This problem occurs because the program is slowed by a high-latency connection. A program that does not have a Start in property searches for DLL files in the current working folder first, and then the folders that are specified in the system path. The current working folder is typically your home folder. If your home folder is on a mapped network share and if the network connection to that share is a high-latency connection such as a wide area network (WAN) or a virtual private network (VPN), you may experience slow performance.

The network traffic increases after you try to use a remote printer in Microsoft Windows XP

After you try to use a remote Lexmark printer over a virtual private network (VPN) connection, network traffic may increase. The increased network traffic can severely decrease performance on slow network links.
Error message when you try to connect a Windows XP-based computer to a network by using a virtual private network (VPN) connection: "Access denied because username and/or password is invalid on the domain"

When you try to connect a Windows XP-based computer to a network by using a virtual private network (VPN) connection, you may receive the following error message:

Access denied because username and/or password is invalid on the domain

This problem occurs if one of the following conditions is [sic] true:
  • The password to access the network has expired.
  • The administrator has enabled the User must change password at next logon option for the user account.
The default behaviour of IPSec NAT traversal (NAT-T) is changed in XP Service Pack 2

This article describes a change in the default behaviour of Internet Protocol security (IPSec) network address translation (NAT) traversal (NAT-T) that has been implemented in Microsoft Windows XP Service Pack 2 (SP2).
Wrong IP Address Is Written to the Pfirewall.log File

When you view the contents of the Internet Connection Firewall log file (Pfirewall.log), packets for an IP address that is not on the interface where the firewall is enabled may be listed in the log.

The Firewall log records all packets that are dropped, regardless of whether the packet contains a source or destination IP address that is bound to the secured interface. For example, packets that are destined to a local VPN interface may be recorded to the Firewall log if the VPN interface is not bound to the interface where the firewall is enabled.
Cannot Maintain Your L2TP Connection in Windows XP

When you try to establish an L2TP connection with a non-Microsoft L2TP server, the connection may be established properly, but you may then immediately lose the connection.
Error 792: The L2TP Connection Attempt Failed Because Security Negotiation Timed Out

When you attempt to establish a Layer 2 Tunneling Protocol (L2TP) connection from a Windows XP-based L2TP client computer to a Windows XP-based Routing and Remote Access Service server, you can receive the following error message:

Error 792: The L2TP connection attempt failed because security negotiation timed out.
L2TP/IPsec NAT-T update for Windows XP and Windows 2000

Microsoft has released an update package to enhance the current functionality of Layer Two Tunnelling Protocol (L2TP) and Internet Protocol security (IPSec) on computers that run Microsoft Windows 2000, Microsoft Windows XP without service packs installed, and Windows XP with Service Pack 1 (SP1).This functionality is included in Windows XP Service Pack 2 (SP2).
Modifying an Internet Protocol security (IPSec) policy from a Windows XP SP1-based or Windows 2000-based client may corrupt the IPSec policy

Clients and domain controllers that are running Microsoft Windows 2000, Microsoft Windows XP Professional, Microsoft Windows XP Tablet PC, or Microsoft Windows Server 2003 will silently error out and cannot apply an Internet Protocol security (IPSec) policy that was saved from a computer that is running Windows 2000 or a computer that is running Windows XP Service Pack 1 (SP1).

Client computers that do not apply an IPSec policy that is specified by a domain administrator may experience the following symptoms because of this problem:
  •  Symptom 1: Network traffic that administrators want to help protect through an IPSec policy will not be encapsulated.
  • Symptom 2: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers may not be able to access other computers by using an IPSec policy on the network. If the IPSec policy is configured in "required mode," network negotiation will not be completed, and communication will be blocked.
  • Symptom 3: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers that access shared folders or printers from Windows Explorer on a computer by using an IPSec policy will experience this problem.
  • Symptom 4: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers that access an IPSec policy by accessing shared folders or printers by using an IPSec policy with the NET USE command will experience this problem.
Symptoms 1-4 all occur because of a lack of connectivity. Therefore, you must examine the entries in the Oakley.log file to definitively identify this problem. The Oakley.log file is located in the
%systemroot%\deproblem\Oakley log folder.

You may also experience the following symptoms:
  • Symptom 5: Client computers that are supposed to apply an IPSec policy but do not because of this problem will not log any errors in their local deproblem [sic] logs or event logs that indicate that the policy did not apply.
  • Symptom 6: A client computer cannot use PING over the network. The client computer receives a "Network destination was unreachable" error message, depending on whether PING is an IPSec policy protocol.
TechNet Support WebCast: How to use IPSec to help secure network traffic

This technical presentation describes how to use Internet Protocol Security (IPSec) to help secure network traffic. The talk discusses the most common IPSec scenarios and demonstrates how to use the Microsoft IPSec implementation to deploy these scenarios. Additionally, general IPSec concepts, configuration options, and implementation techniques will be presented.
Connections time out when client computers that are running Windows Server 2003 or Windows XP try to connect to a server on a wireless network that uses IPSec NAT-T

In a wireless network environment that uses Internet Protocol security (IPSec) network address translation traversal (NAT-T), client computers that are running Microsoft Windows Server 2003 or Microsoft Windows XP cannot connect to a server that is running Windows Server 2003 and Microsoft Live Communications Server 2003. The connections time out. A network trace shows Internet Control Message Protocol (ICMP) "port unreachable" error messages.

This problem occurs on client computers that use a wireless network adaptor that does not support packet ownership. For example, this problem occurs on client computers that use an Agere Systems wireless network adaptor or an Intel wireless network adaptor that does not support packet ownership.
All policies on a Windows XP-based computer are refreshed when you enable an IPsec policy

Consider the following scenario:
  • You are running a Microsoft Windows XP Service Pack 2 (SP2)-based computer or a Windows XP Service Pack 1 (SP1)-based computer that has the network address translation traversal (NAT-T) update installed.
  • The computer belongs to a domain.
  • You enable an Internet Protocol security (IPSec) policy on the computer.
In this scenario, all policies on the computer are refreshed, not just the IPSec policy. Additionally, if you set a short refresh time for the IPSec policy, network traffic increases in a domain that contains many client computers.
When you disconnect and then reconnect a network adaptor on a Windows XP-based computer, the IPsec policy is not applied for two to three seconds after the network adaptor is reinitialized

You may experience the following problem on a Microsoft Windows XP-based computer where a network adaptor uses the Internet Protocol security (IPsec) policy to restrict traffic to and from the computer. When you disconnect and then reconnect the network adaptor, the policy is not applied for two to three seconds after the network adaptor is reinitialized. Traffic that typically would be blocked by the IPSec policy may not be blocked.
A hotfix that updates the IPSec Policy Agent is available for Windows Server 2003 and Windows XP

The IPSec Policy Agent (IPsecsvc.dll) manages Internet Protocol security policy. The IPSec Policy Agent starts the ISAKMP/Oakley (IKE) protocol mechanism. The IPSec Policy Agent also starts the Internet Protocol security driver that is available for Microsoft Windows Server 2003 and for Microsoft Windows XP. The IPSec Policy Agent includes a set of remote procedure call (RPC)-based interfaces. These interfaces are used by internal Windows components.

Microsoft has released a hotfix that corrects the behaviour of the IPSec Policy Agent. After you apply this hotfix, the RPC-based interfaces return the correct status code that other Windows components require.
How to simplify the creation and maintenance of Internet Protocol (IPSec) security filters in Windows Server 2003 and Windows XP

This article describes an update that you can apply to simplify the creation and maintenance of Internet Protocol security (IPSec) filters in Microsoft Windows Server 2003. This article also includes description of a hotfix for Microsoft Windows XP that simplifies the creation and maintenance of Internet Protocol security (IPSec) filters in Microsoft Windows XP.

The Windows Server 2003 update and the Windows XP hotfix add functionality to Windows that enables you to use an IPSec "Simple Policy." For most environments, the installation of this update and hotfix lets you reduce the number of IPSec filters that are required for a Server Isolation deployment or for a Domain Isolation deployment. You can reduce the number of IPSec filters from many hundreds of filters to only two filters.
How to block specific network protocols and ports by using IPSec

Internet Protocol security (IPSec) filtering rules can be used to help protect Windows 2000-based, Windows XP-based, and Windows Server 2003-based computers from network-based attacks from threats such as viruses and worms. This article describes how to filter a particular protocol and port combination for both inbound and outbound network traffic. It includes steps to whether there are any IPSec policies currently assigned to a Windows 2000-based, Windows XP-based, or Windows Server 2003-based computer, steps to create and assign a new IPSec policy, and steps to unassign and delete an IPSec policy.
How to configure remote IPSec management and remote IPSec monitoring from Windows Server 2003-based and Windows XP Professional-based computers

This article describes how to configure Microsoft Windows Server 2003-based and Microsoft Windows XP Professional-based computers to manage Internet Protocol security (IPSec) policies and to monitor IPSec activity for remote computers.

On Windows Server 2003-based and on Windows XP Professional-based computers, you can use the IP Security Policy Management Microsoft Management Console (MMC) snap-in to remotely manage IPSec policies. Additionally, you can use the IP Security Monitor MMC snap-in to remotely monitor IPSec activity.

On Windows Server 2003-based computers, you can also use the Netsh command-line utility to remotely manage IPSec policies and to remotely monitor IPSec activity.

Note Windows XP does not have an IPSec context for the Netsh command. Therefore, the Netsh command cannot be used to configure IPSec on Windows XP-based computers.
How to configure RPC to use certain ports and how to help secure those ports by using IPSec

This article describes how to configure RPC to use a specific dynamic port range and how to help secure the ports in that range by using an Internet Protocol security (IPSec) policy. By default, RPC uses ports in the ephemeral port range (1024-5000) when it assigns ports to RPC applications that have to listen on a TCP endpoint. This behaviour can make restricting access to these ports challenging for network administrators. This article discusses ways to reduce the number of ports available to RPC applications and how to restrict access to these ports by using a registry-based IPSec policy.
The Lsass.exe process may stop responding on a Windows Server 2003-based computer or on a Windows XP-based computer that is in an Active Directory domain environment

In an Active Directory domain environment, the Lsass.exe process may stop responding on a Microsoft Windows Server 2003-based computer or on a Microsoft Windows XP-based computer.

In this situation, you receive the following error message:

System Shutdown - The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost.

This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in <number> seconds.

Shutdown message: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code <error code>. The system will now shut down and restart.

This problem may occur if the following conditions are true:
  • Some Internet Protocol Security (IPSec) policies are configured to help secure network communication.
  • Security settings are customized for all Group Policy objects (GPOs) that are applied to domain computers. Specifically, the Everyone group and the Authenticated Users group do not have permission to access any GPO. All other groups, such as the Domain Users group and the Domain Computers group, have permission to access the GPOs.
  • On Windows Server 2003-based computers, Windows Server 2003 Service Pack 2 is installed.
  • On Windows XP-based computers, a hotfix is installed. This hotfix has a file version that is either later than or equal to the file version that is described in the following Microsoft Knowledge Base article:
895406 (http://support.microsoft.com/kb/895406/) All policies on a Windows XP-based computer are refreshed when you enable an IPSec policy.
You experience intermittent connectivity when you connect to a network from a computer that is running Windows XP or Windows Server 2003

You experience intermittent connectivity when you try to connect to a network from a computer that is running Microsoft Windows XP or Microsoft Windows Server 2003. If the computer connects to the network, you may receive the following error message:

The Windows Time Service was not able to find a Domain Controller. A time and date update was not possible.

This problem occurs because Transport Control Protocol/Internet Protocol (TCP/IP) Internet Protocol security (IPSec) frames that pass through NAT-T are not correctly acknowledged by TCP/IP.

This problem has been reported to occur on computers that have one of the following network adapters:
  • Intel Pro/100VE and Intel Pro Wireless LAN 2100 3B Mini
  • Intel Pro/100VE and ORiNOCO Wireless PCI
  • SiS 9000 PCI
  • RealTek 8139
Some Windows Procedures Do Not Work If the Remote Procedure Call Service Is Disabled

The following services depend on the RPC service:
  • Background Intelligent Transfer Service
  • COM+ Event System
  • Distributed Link Tacking Client
  • Distributed Transaction Coordinator
  • Fax Service
  • Indexing Service
  • IPSec Policy Agent
  • Messenger
  • Network Connections
  • Print Spooler
  • Protected Storage
  • Removable Storage
  • Routing Information Protocol (RIP) Listener
  • Routing and Remote Access
  • Task Scheduler
  • Telephony
  • Telnet
  • Windows Installer
  • Windows Management Instrumentation
List of Event IDs for the Routing and Remote Access Service

This article contains a list of the Routing and Remote Access service event IDs as they appear in the Event Viewer system log.