Article ID: 309304
Article Last Modified on 10/30/2006
APPLIES TO
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 2
This article was previously published under Q309304
SYMPTOMS
In Windows 2000 Service Pack 2, IP Security (IPSec) Transport Mode with encryption may drop fragmented traffic, for example, Internet Control Message Protocol (ICMP) and User Datagram Protocol (UDP) packet traffic. Transmission Control Protocol (TCP) is generally not affected.
CAUSE
This issue occurs when IPSec Transport Mode is used to secure domain controllers by forcing Kerberos to be protected by IPSec. The issue occurs because Kerberos uses UDP port 88 (Kerberos can use TCP if needed).
This issue does not affect L2TP/IPSec connections.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
--------------------------------------------------
26-Sep-2001 23:11 5.0.2195.3951 121,936 Afd.sys
04-Aug-2001 12:14 5.0.2195.4055 87,824 Hotfix.exe
04-Oct-2001 20:29 26,118 Hotfix.inf
04-Oct-2001 20:24 5.0.2195.3952 106,256 Msafd.dll
30-May-2001 03:03 5.0.2195.3649 3,584 Spmsg.dll
27-Sep-2001 16:06 5.0.2195.4429 312,688 Tcpip.sys
30-Jul-2001 23:15 5.0.2195.3988 16,240 Tdi.sys
04-Oct-2001 20:24 5.0.2195.3649 17,680 Wshtcpip.dll
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
MORE INFORMATION
ICMP is a network-layer (ISO/OSI level 3) Internet protocol that provides error correction and other information that is relevant to Internet Protocol (IP) packet processing. For example, ICMP enables the IP software on one computer to inform another computer about an unreachable destination.
UDP is the connectionless protocol within TCP/IP that corresponds to the transport layer in the ISO/OSI model. UDP converts program-generated data messages into packets to send through IP, but UDP does not verify that a message is successfully delivered. Because UDP is more efficient than TCP, UDP is used for various purposes, including Simple Network Management Protocol (SNMP); the reliability of UDP depends on the program that generates the message.
ESP is a standard for providing integrity and confidentiality to IP datagrams. In some circumstances, ESP can also provide authentication to IP datagrams.
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Additional query words:
Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbsecurity kbhotfixserver KB309304
