Microsoft KB Archive/917025

= Error message in ISA Server 2004 when you configure an IPsec tunnel mode site-to-site VPN on an ISA Server 2004-based computer: “0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED” =

Article ID: 917025

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
Consider the following scenario:
 * You configure a site-to-site virtual private network (VPN) tunnel on a Microsoft Internet Security and Acceleration (ISA) Server 2004-based computer.
 * You configure the VPN tunnel by using Internet Protocol security (IPsec) tunnel mode method.

In this scenario, you may find that the IPsec tunnel connection is blocked and the following run-time error message is logged in the ISA Server log:

0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED

Notes
 * You have installed Microsoft Windows Server 2003 Service Pack 1.
 * The frequency of this error message depends on the parameters of the IPSec tunnel mode configuration.
 * The error message occurs even if you disable the IP Spoof Detection feature.

For more information about how to disable IP Spoof Detection feature, click the following article number to view the article in the Microsoft Knowledge Base:

838114 How to disable the IP Spoof Detection feature in Microsoft ISA Server 2004



CAUSE
This problem occurs because the firewall engine kernel-mode driver checks all IPsec tunnel mode connections for IP address spoofing. During Internet Key Exchange (IKE) negotiation, the IPSec driver blocks all packets from the IPsec tunnel and then queues the packets. After a successful IKE negotiation, the IPSec driver sets a special flag on these packets and then puts the packets in the IP stack. Then, the firewall engine kernel-mode driver does not read the flags correctly and treats the packets as spoofed.



WORKAROUND
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To work around this problem, you must increase the time-out value for IPSec Security Association Idle Timer. To do this, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serviecs\IPsec

 Add the SAIdleTime registry entry. If this entry already exists, modify the value. To do this, follow these steps:  Right-click the  registry key, click New, and then click DWORD Value. Type SAIdleTime, and then press ENTER. Right-click the SAIdleTime registry entry, and then click Modify.</li> Click Decimal, type 3600 in the Value data box, and then click OK.

Note The default value for the  registry entry is 300 seconds. The maximum value that you can set for the entry is 3,600 seconds. You must set the value to 3,600.</li></ol> </li> Exit Registry Editor.</li> Restart the computer.</li></ol>

Note You must set the same  registry entry value on each side of the IPsec tunnel if the remote VPN Tunnel endpoint is a Windows-based server. If the remote tunnel endpoint is not a Windows-based VPN server, see the product documentation on how to change the IPSec Security Association Idle Timeout value.

Keywords: kbtshoot kbbug kbprb KB917025

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.