Steven
Wed May 24 20:47:38 CDT 2006
Take a look at the document below on troubleshooting ipsec of which parts
can help you track down what is happening. The other thing you might try is
if you can not find an apparent resolution is to create a custom ipsec
policy that specifies each protocol in the filter in the ipsec policy rather
than any such as one for TCP, one for UDP, etc but not including ICMP. It
could be that ping is timing out waiting for the ipsec policy to figure out
that it is allowed. You might try different timeout parameters with the ping
command. --- Steve
http://www.microsoft.com/technet/security/topics/architectureanddesign/IPsec/IPsecch7.mspx
"ADH" <ADH@discussions.microsoft.com> wrote in message
news:092CE844-7ABD-4CE0-973F-478B2F714159@microsoft.com...
> The 'all ICMP traffic' is set to permit. I have been pinging by IP
> address
> and it still fails. The DCs do not have the IPSEC policy applied to them.
>
>
> "Steven L Umbach" wrote:
>
>> The default request security ipsec policy should exempt ipsec but to be
>> sure
>> check the properties of that ipsec policy to see if "all ICMP traffic"
>> with
>> a filter action of permit is checked. Also try pinging by IP address if
>> you
>> have not done so yet and you want to make sure domain controllers are
>> exempt
>> from using ipsec between themselves and domain members or problems will
>> arise as per advise in the link below. --- Steve
>>
>>
http://support.microsoft.com/?kbid=254949
>>
>> "ADH" <ADH@discussions.microsoft.com> wrote in message
>> news:2F5A90EE-197C-4CDE-B37C-9504D4BA032C@microsoft.com...
>> >I have a GPO that implements the Server (Request Security) IPSEC
>> >setting.
>> > Pretty much everything works except PING. When I try to PING from one
>> > server
>> > to the another, I get the 'Request Timed Out' message.
>> >
>> > My understanding is that this policy has a setting that allows ICMP
>> > packets
>> > to be sent unsecured so I don't understand why the PING is failing.
>> >
>> > TIA
>> >
>>
>>
>>