Windows Firewall Public profile when using IPsec

  • Article

Hi there - Jimmy here with a brief summary of an IPsec / Network Location Awareness interaction issue a customer encountered recently. Hopefully it saves you some time.

Symptoms

When Windows Server virtual machines were rebooted, they would occasionally fail to identify their local network as Domain profile. The result was that an incorrect set of firewall rules (public profile) were in affect, but otherwise network connectivity seemed fine. Evidence from the logs showed a DNS failure for a DCLocator query during system startup. This is important, as this is what causes the NLA service to indicate this is a Public network rather than a Domain network.

It was observed that network connectivity between server and Domain Controller was not fine during system startup, but subsequently the same DNS queries were succeeding. That period of network connection failures happened while the Network Location Awareness service was discovering the network, and now the firewall was inappropriately configured.

Other information

  • IPsec (Connection Security Rules) was configured between the affected system and the Domain controller (DNS server)
  • The start of the IPsec Policy Agent service appeared delayed when reviewing service start events
  • The domain controller was configured to log IPsec Driver Audit Failure events, and we consequently observed a number of instances of Event ID 4965 ( "IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)" ) being raised in the Security log of the domain controller coinciding with the restart of the client/server.

What happened?

Depending on the speed of the system restart activity (virtual machines can be quick!) the domain controller may still have active IPsec Quick Mode security associations with the restarted host. Network traffic between the hosts may fail until the security association timeout period (5 mins) has expired. The DNS lookup required for Network Location Awareness selection of the Domain profile fails if an old IPsec Quick Mode security association exists between the hosts, according to the Domain Controller, and the query from the NLA service on the client is sent to the DC with which the SA exists.

For a better technical description of the mechanics of the issue and what to do about it, check out the following knowledge base article: https://support.microsoft.com/en-us/help/2997061/ipsec-qmsa-is-not-deleted-on-isakmp-notify

Jimmy