IPSec QMSA is not deleted on ISAKMP notify

Symptoms

Consider the following scenario:
  • IPsec is configured between Windows Domain members and domain controllers.
  • The Connection Security rules are configured to "request authentication" and are active on the Domain Profile only.
  • A domain member (client) that has an IPsec connection established to a domain controller is restarted.
  • While shutting down the IKE and AuthIP IPsec Keying Modules (IKEEXT) service, the client sends an Internet Security Association and Key Management Protocol (ISAKMP) Notify message to the domain controller to delete the Main Mode Security Association (MMSA).
  • Immediately after the client restarts, it tries to connect to a domain controller. By chance, it ends up on the same domain controller as before.
  • The client tries to connect by using clear text, because it is still in the Public Profile.
  • The clear-text messages from the client are answered by using an Encapsulated Security Payload (ESP) packet sent by the domain controller.
In this scenario, the connection fails until the the Quick Mode Security Association (QMSA) times out on the domain controller. The default time-out setting as specified by SAIdleTime is five minutes.

Additionally, you may receive the following error messages:
Log Name:      System
Source:        NETLOGON
Event ID:      5719
Description:
This computer was not able to set up a secure session with a domain controller in domain %domain name% due to the following: 
There are currently no logon servers available to service the logon request. 
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Event ID:      1129
Description:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Cause

This issue occurs because the IKEEXT service doesn't send QMSA delete notifications when it shuts down by default.

Resolution

To work around this issue, you can modify the registry. The 0x100 bit of the IKEFlags registry key makes Windows send ISAKMP Notify Delete messages for QMSAs.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IKEEXT\Parameters
Name: IKEFlags
Type: REG_DWORD
Value: 0x100

Important This registry entry is interpreted as a bit-mask. The bit that forces IKEEXT to send ISAKMP Notify Delete messages for QMSAs is positioned at the 0x100 bit. We recommend that you do not modify the other bits. To prevent any other issues, do not change the other bits. For example, if IKEFlags has the 0x1440 DWORD value change it to a 0x1540 DWORD value.

More Information

In Windows versions up to Windows Server 2008 R2 you might have used the NlbReconnectForAllPeers and NlbsIdleTime REG_DWORD values on the DC as described in KB2695321 "IPsec session takes 5 to 6 minutes to connect to a storage controller on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2".

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IKEEXT\Parameters\ 
By default, the NlbReconnectForAllPeers key is set to 1, and the NlbsIdleTime key is set to 0x19 (25).

Starting with Windows 8 and Windows Server 2012, these registry keys have no effect.
Properties

Article ID: 2997061 - Last Review: 15 Oct 2014 - Revision: 1

Feedback