Microsoft KB Archive/255857

From BetaArchive Wiki

Article ID: 255857

Article Last Modified on 3/1/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition

This article was previously published under Q255857


The netdiag command does not display the IP Security Protocol (IPSec) offload statistics for a network adapter that has IPSec offload capabilities.


The netdiag command queries the IPSec offload statistics from the system, but does not display them.


A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English-language version of this fix should have the following file attributes or later:

   Date        Time      Size    File name
   4/4/2000    1:24 PM   84 KB   Ipsec.sys


You can use the following command to determine if an adapter has IPSec offload capabilities and what options it supports:

netsh int ip show offload

The following text is sample output from the command listed above. This sample text shows the offload capabilities of the network adapter (not statistics):

Offload Options for interface "Local Area Connection" with index: 200002:"
TCP Transmit Checksum
IP Transmit Checksum
TCP Receive Checksum
IP Receive Checksum

Offload Options for interface "Loopback Adapter" with index: 3:

Offload Options for interface "Local Area Connection 2" with index: 1000005:
IPSEC Raw Crypto
IPSEC on Transmit for AH
IPSEC on Receive for AH
IPSEC transport for AH
MD5 as AH and ESP algorithm
SHA_1 as AH and ESP algorithm
IPSEC on Transmit for ESP
IPSEC on Receive for ESP
IPSEC transport for ESP
DES as ESP algorithm
3DES as ESP algorithm
Null DES as ESP algorithm


Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. Microsoft has confirmed that this is a problem in Microsoft Windows 2000.


The netdiag command is available after you install the Microsoft Windows 2000 Resource Kit, which you can install from your Windows 2000 CD-ROM.

To install the kit, locate the Support\Tools folder, and then double-click the Setup.exe file. After installation, you may need to run the netdiag command from the %SystemRoot%\Program Files\Support Tools folder.

Use the following command to display IPSec statistics:

netdiag /test:ipsec /v

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Keywords: kbbug kbfix kbipsec kbqfe KB255857