Microsoft KB Archive/309304

= IP Security Transport Mode with Encryption May Drop Fragmented Packets =

Article ID: 309304

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q309304



SYMPTOMS
In Windows 2000 Service Pack 2, IP Security (IPSec) Transport Mode with encryption may drop fragmented traffic, for example, Internet Control Message Protocol (ICMP) and User Datagram Protocol (UDP) packet traffic. Transmission Control Protocol (TCP) is generally not affected.



CAUSE
This issue occurs when IPSec Transport Mode is used to secure domain controllers by forcing Kerberos to be protected by IPSec. The issue occurs because Kerberos uses UDP port 88 (Kerberos can use TCP if needed).

This issue does not affect L2TP/IPSec connections.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:

  Date         Time   Version        Size     File name --  26-Sep-2001  23:11  5.0.2195.3951  121,936  Afd.sys 04-Aug-2001 12:14  5.0.2195.4055   87,824  Hotfix.exe 04-Oct-2001 20:29                  26,118  Hotfix.inf 04-Oct-2001 20:24  5.0.2195.3952  106,256  Msafd.dll 30-May-2001 03:03  5.0.2195.3649    3,584  Spmsg.dll 27-Sep-2001 16:06  5.0.2195.4429  312,688  Tcpip.sys 30-Jul-2001 23:15  5.0.2195.3988   16,240  Tdi.sys 04-Oct-2001 20:24  5.0.2195.3649   17,680  Wshtcpip.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
ICMP is a network-layer (ISO/OSI level 3) Internet protocol that provides error correction and other information that is relevant to Internet Protocol (IP) packet processing. For example, ICMP enables the IP software on one computer to inform another computer about an unreachable destination.

UDP is the connectionless protocol within TCP/IP that corresponds to the transport layer in the ISO/OSI model. UDP converts program-generated data messages into packets to send through IP, but UDP does not verify that a message is successfully delivered. Because UDP is more efficient than TCP, UDP is used for various purposes, including Simple Network Management Protocol (SNMP); the reliability of UDP depends on the program that generates the message.

ESP is a standard for providing integrity and confidentiality to IP datagrams. In some circumstances, ESP can also provide authentication to IP datagrams.

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words:

Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbsecurity kbhotfixserver KB309304

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.