Communication is interrupted periodically when you start a communication from a computer that is running Windows Vista or Windows Server 2008 to a computer that is running Windows XP or Windows Server 2003

Consider the following scenario:

• In a network environment, you have two computers:
  • The first computer is running Windows Vista or Windows Server 2008. This computer does not have a valid Internet Protocol security (IPsec) certificate.
  • The second computer is running Windows XP or Windows Server 2003. This computer has a valid IPsec certificate.
• You deploy some IPsec policies to the first computer by using Group Policy object (GPO).
• You enable the "Fallback to clear" functionality on the second computer.
• On the second computer, you set the value of the following registry entry as 0x14:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley\IKEFlags
• You try to start a communication from the first computer to the second computer. For example, you try to access a shared folder on the second computer from the first computer, and you try to copy the files in the shared folder to the first computer.

In this scenario, the communication between the two computers is interrupted periodically. Therefore, you cannot copy large files, such as software updates, from the second computer to the first computer.

Notes

• The Simple Policy Update is required to be installed on the second computer that is running Windows XP or Windows Server 2003. The Simple Policy Update is included in Windows Server 2003 Service Pack 2 and Windows XP Service Pack 3.
• To enable the "Fallback to clear" functionality, create a Negotiate Security filter action, and then enable the following two settings:
  • Allow unsecured communication with non-IPsec-aware computer
  • Accept unsecured communication, but always respond using IPsec
• If you start the communication from the second computer to the first computer, the "Fallback to clear" functionality works correctly. In this situation, it takes 500 milliseconds (ms) to start the communication.
• If the value of the IKEFlags registry entry is not set to 0x14, the "Fallback to clear" functionality does not work. In this situation, no communication is established between the two computers.

In this situation, the issue occurs because the "Fallback to clear" functionality is not working correctly. When the communication is started, the connection is lost for one minute. Then a soft security association (Soft SA) is created, and the connection is resumed. This connection can last for several minutes. When the Soft SA expires, the connection is again lost for one minute, and then the connection is resumed again and can last for several minutes. This continues in a loop.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, your computer must be running one of the following operating systems:

• Windows Vista Service Pack 1 (SP1)
• Windows Vista Service Pack 2 (SP2)
• Windows Server 2008
• Windows Server 2008 Service Pack 2 (SP2)

For more information about how to obtain a Windows Vista service pack, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English (United States) version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows Vista and Windows Server 2008 file information notes

Important Windows Vista hotfixes and Windows Server 2008 hotfixes are included in the same packages. However, only "Windows Vista" is listed on the Hotfix Request page. To request the hotfix package that applies to one or both of these operating systems, select the hotfix that is listed under "Windows Vista" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.

• The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
  Collapse this tableExpand this table

  Version	Product	SR_Level	Service branch
  6.0.600 1 . 22xxx	Windows Vista and Windows Server 2008	SP1	LDR
  6.0.600 2 . 22xxx	Windows Vista and Windows Server 2008	SP2	LDR

• Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.xxxxxx version number.
• The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 and for Windows Vista" section. MUM files and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows Server 2008 and of Windows Vista

For all supported x64-based versions of Windows Server 2008 and of Windows Vista

For all supported IA-64-based versions of Windows Server 2008

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

"Fallback to clear" is a functionality that enables nonsecure traffic when a secure communication cannot be established. For more information about the "Fallback to clear" functionality, visit the following Microsoft Web site: For more information about Simple Policy Update, click the following article number to view the article in the Microsoft Knowledge Base: For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

Additional file information

Additional file information for Windows Vista and for Windows Server 2008

Additional files for all supported x86-based versions of Windows Vista and of Windows Server 2008

Additional files for all supported x64-based versions of Windows Vista and of Windows Server 2008

Additional files for all supported IA-64-based versions of Windows Server 2008