IPsec failover can take up to six minutes in Windows 2000 (306677)


The information in this article applies to:

  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q306677

SUMMARY

Although you can use Internet Protocol security (IPsec) with a cluster, with Windows Load Balancing Service (WLBS), or with Network Load Balancing (NLB) and Microsoft Cluster Service (MSCS), IPsec was not designed for failover situations in Microsoft Windows 2000. The failover can take up to six minutes. The failover time for a Microsoft Windows Server 2003-based WLBS or NLB deployment is reduced to two minutes.

MORE INFORMATION

Although you can use IPsec for programs that can fail over in a Windows 2000 server cluster, IPsec was not designed for failover situations in the Windows 2000 release. We recommend that you do not use IPsec for programs in a Windows 2000 server cluster.

The slow failover on Windows 2000 is because Internet Key Exchange (IKE) Security Associations (SAs) are stored in a local database on each node and they do not transfer from one server to the other if a failover occurs. This issue has been addressed in Windows Server 2003 and in later Windows versions by a faster IPsec failover mechanism that is used in communicating to WLBS and to the NLB server.

In a connection that is protected by IPsec, an IKE SA is created in phase-I negotiations. Two IPsec SAs are created in phase II. A time-out value is associated with the IKE and IPsec SAs. The result is that the client must wait for the default time-out or for the lifetime period for the incoming IPsec SA to expire. Then, the client must wait for the time-out or lifetime period that is associated with the IKE SA.

By default, the SA Idle Timer times out in five minutes and an additional one minute time-out is incurred while a communication attempt is made to the failed node. When you use IPsec and if there is a failover, clients cannot reestablish connections for up to six minutes after all the resources are online.

Although IPsec is not optimally designed for a Windows 2000 clustered environment, you can use it if the business need for secure connectivity is more important than client downtime during a failover. IPsec requires state information associated with the connection. That state information is not preserved during a failover. IPsec has not been tested with Microsoft Cluster Service. Therefore, Microsoft does not support using it as a solution. We recommend that you do not use IPsec for programs in a server cluster. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

253169 Traffic that can--and cannot--be secured by IPsec

For more information about how to use IPsec in a Windows Server 2003 environment, click the following article number to view the article in the Microsoft Knowledge Base:

821839 How to configure IPsec on an Exchange Server 2003 back-end server that is running on a Windows Server 2003 server cluster

Modification Type:MajorLast Reviewed:9/15/2006
Keywords:kbhowto kbenv kbinfo KB306677 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.