Error message when you configure an IPsec VPN on a computer that is running ISA Server 2004 and Forefront Threat Management Gateway, Medium Business Edition or Windows Essential Business Server 2008: "0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED"

Consider the following scenario:

• You configure a site-to-site virtual private network (VPN) tunnel on a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004 and Forefront Threat Management Gateway, Medium Business Edition or Windows Essential Business Server 2008.
• You configure the VPN tunnel by using Internet Protocol security (IPsec) tunnel mode method.

In this scenario, you may find that the IPsec tunnel connection is blocked and the following run-time error message is logged in the ISA Server log:Notes

• You have installed Microsoft Windows Server 2003 Service Pack 1.
• The frequency of this error message depends on the parameters of the IPSec tunnel mode configuration.
• The error message occurs even if you disable the IP Spoof Detection feature.

For more information about how to disable IP Spoof Detection feature, click the following article number to view the article in the Microsoft Knowledge Base:

This problem occurs because the firewall engine kernel-mode driver checks all IPsec tunnel mode connections for IP address spoofing. During Internet Key Exchange (IKE) negotiation, the IPSec driver blocks all packets from the IPsec tunnel and then queues the packets. After a successful IKE negotiation, the IPSec driver sets a special flag on these packets and then puts the packets in the IP stack. Then, the firewall engine kernel-mode driver does not read the flags correctly and treats the packets as spoofed.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To work around this problem, you must increase the time-out value for IPSec Security Association Idle Timer. To do this, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serviecs\IPsec
3. Add the SAIdleTime registry entry. If this entry already exists, modify the value. To do this, follow these steps:
   1. Right-click the IPSec registry key, click New, and then click DWORD Value.
   2. Type SAIdleTime, and then press ENTER.
   3. Right-click the SAIdleTime registry entry, and then click Modify.
   4. Click Decimal, type 3600 in the Value data box, and then click OK.
      
      Note The default value for the SAIdleTime registry entry is 300 seconds. The maximum value that you can set for the entry is 3,600 seconds. You must set the value to 3,600.
4. Exit Registry Editor.
5. Restart the computer.

Note You must set the same SAIdleTime registry entry value on each side of the IPsec tunnel if the remote VPN Tunnel endpoint is a Windows-based server. If the remote tunnel endpoint is not a Windows-based VPN server, see the product documentation on how to change the IPSec Security Association Idle Timeout value.