FIX: "0xc0360007 (STATUS_IPSEC_CLEAR_TEXT_DROP)" error when you try to access the internal IP address of a Forefront TMG 2010 server through an IPsec site-to-site network

Article translations Article translations
Article ID: 2502685 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You configure a Microsoft Forefront Threat Management Gateway (TMG) 2010 server as an IPsec site-to-site tunnel endpoint. 
  • You establish the IPsec tunnel, and then clients access resources on both sides of the VPN tunnel. 
  • You try to access the internal IP address of the Forefront TMG 2010 server by using a client on the remote network of the endpoint.
In this scenario, traffic to the internal IP address of the Forefront TMG server is dropped by IPsec. Additionally, the IPsec driver logs the following error for dropped packets:
0xc0360007 (STATUS_IPSEC_CLEAR_TEXT_DROP)

CAUSE

This issue occurs because the IPsec security context for the locally destined packet is removed before it is evaluated by the incoming transport layer.

RESOLUTION

To resolve this issue, follow these steps:
  1. Install the software update that is described in the following Microsoft Knowledge Base (KB) article:
    2498770 Software Update 1 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
  2. Make sure that the packets are not dropped by running the following command at a command prompt on each Forefront TMG server:
    netsh tmg set global name=DontDropIPSECDetunneledTrafficToLocalhost value=1 persistent
    Note To revert to the default settings, run the following command:
    netsh tmg set global name=DontDropIPSECDetunneledTrafficToLocalhost value=0 persistent

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 2502685 - Last Review: February 25, 2011 - Revision: 1.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1, when used with:
    • Microsoft Forefront Threat Management Gateway 2010 Enterprise
    • Microsoft Forefront Threat Management Gateway 2010 Standard
Keywords: 
kbqfe kbfix kbsurveynew kbexpertiseinter KB2502685

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com