question

Carmos-1536 avatar image
0 Votes"
Carmos-1536 asked GaryNebbett answered

IPsec quickmode SA timeout blocks new session

Environment:

  • Win 10 client, connected to Srv 2016 DC

  • IPsec enabled as basic "Connection Security Rule" through GPO with default settings

  • Environment has more than basic hardening, based on CIS

  • No network security measures (Dot1x, NIDS/IPS etc) are in place

Problem flow chart:
1 - At client start up, IPsec (transport mode) is initiated with no issues and user can log on
2 - When client reboots, Main mode SA is terminated but quick mode SA stays active on server
3 - When user tries to logon they get errors, boiling down to that IPsec connection is not established
4 - After a 5 minutes (netsh advfirewall show global | find "SAIdleTimeMin") the quickmode SA times out on server
5 - When quickmode SA has timed out, IPsec communication is established and everything works again

Findings:

  • The SA Idle timeout cannot be set lower than 5 minutes

  • This behaviour has been observed across 4 other similar systems (all Srv 2016 and Win 10)

  • Tried "Remove-NetIpsecQuickModeSA", but the command is poorly documented and basically useless

  • The only workaround found is to stop the "IKEEXT" service at logoff (this kills all active SA's)

  • I have not 100% ruled out Kerberos, but all clocks are in sync.

Ruled out causes:
- Disabling fastboot does not solve the problem
- The problem is not directly DNS related
- The problem is not network related

There has to be a reason behind this behaviour, googling it returns mostly VPN and Cisco related links., i've yet to find someone describe a similar problem on any forum.
Any constructive inputs and suggestions appreciated.

windows-serverwindows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GaryNebbett avatar image
0 Votes"
GaryNebbett answered

Hello @Carmos-1536,

Does "netsh advfirewall monitor delete qmsa [(source destination)|all]" work any better than Remove-NetIpsecQuickModeSA for you?

If you are prepared to collect and share some trace data, then we might be able to verify the cause of the behaviour. The trace data is difficult to interpret (output of the "IKEEXT Trace Provider" and possibly the raw (but unencrypted) IKE packets. Let us know if you want to pursue this option.

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.