Error message in ISA Server 2004 when you configure an IPsec tunnel mode site-to-site VPN on an ISA Server 2004-based computer: "0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED" (917025)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

Consider the following scenario:
  • You configure a site-to-site virtual private network (VPN) tunnel on a Microsoft Internet Security and Acceleration (ISA) Server 2004-based computer.
  • You configure the VPN tunnel by using Internet Protocol security (IPsec) tunnel mode method.
In this scenario, you may find that the IPsec tunnel connection is blocked and the following run-time error message is logged in the ISA Server log:
0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED
Notes
  • You have installed Microsoft Windows Server 2003 Service Pack 1.
  • The frequency of this error message depends on the parameters of the IPSec tunnel mode configuration.
  • The error message occurs even if you disable the IP Spoof Detection feature.
For more information about how to disable IP Spoof Detection feature, click the following article number to view the article in the Microsoft Knowledge Base:

838114 How to disable the IP Spoof Detection feature in Microsoft ISA Server 2004

CAUSE

This problem occurs because the firewall engine kernel-mode driver checks all IPsec tunnel mode connections for IP address spoofing. During Internet Key Exchange (IKE) negotiation, the IPSec driver blocks all packets from the IPsec tunnel and then queues the packets. After a successful IKE negotiation, the IPSec driver sets a special flag on these packets and then puts the packets in the IP stack. Then, the firewall engine kernel-mode driver does not read the flags correctly and treats the packets as spoofed.

WORKAROUND

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To work around this problem, you must increase the time-out value for IPSec Security Association Idle Timer. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serviecs\IPsec

  3. Add the SAIdleTime registry entry. If this entry already exists, modify the value. To do this, follow these steps:
    1. Right-click the IPSec registry key, click New, and then click DWORD Value.
    2. Type SAIdleTime, and then press ENTER.
    3. Right-click the SAIdleTime registry entry, and then click Modify.
    4. Click Decimal, type 3600 in the Value data box, and then click OK.

      Note The default value for the SAIdleTime registry entry is 300 seconds. The maximum value that you can set for the entry is 3,600 seconds. You must set the value to 3,600.
  4. Exit Registry Editor.
  5. Restart the computer.
Note You must set the same SAIdleTime registry entry value on each side of the IPsec tunnel if the remote VPN Tunnel endpoint is a Windows-based server. If the remote tunnel endpoint is not a Windows-based VPN server, see the product documentation on how to change the IPSec Security Association Idle Timeout value.
Modification Type:MajorLast Reviewed:5/15/2006
Keywords:kbBug kbtshoot kbprb KB917025 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.