General Troubleshooting

The following are possible reasons for secured communication failures and suggested resolutions for these failures.

Remote Communications Fail

If you are a remote client, and only secured communication attempts are failing, review "Best Practices" earlier in this chapter and its remote communications scenarios to verify that your authentication method is correct, and you have compatible security methods with the remote access server.

Intranet Communications Fail

If two computers have been communicating successfully and secured communication between them suddenly fails, do the following:

1. Ping the other computer to verify the computer is still on the network. You should receive a message indicated IPSec is being negotiated. If you do not, check to see if the list of acceptable security methods in your Filter Action has changed since the last communication with that computer. The old security associations that are based on previous security methods might still be in effect. If so, try the next step. Note that if you are using default policies, unmodified, ping will not be blocked by IPSec. However, if you have created custom policies and have not exempted the ICMP protocol used by the Ping tool, it may erroneously fail.
2. Restart the policy agent. This clears up any old security associations. For information about how to restart the policy agent, see "Only IPSec-Secured Communication Fails" later in this chapter.

Other Causes of Failure

• Try a policy integrity check to verify that changes made to any policy settings have been updated in Active Directory or the registry. See the Windows 2000 Online Help for more information about testing policy integrity.
• If you have removed an existing computer from a domain or have changed to using local policy instead of Active Directory policy, you might have to restart the policy agent. Otherwise, the policy agent continues to attempt to reach Active Directory and does not use registry policy.
• Multihomed computers have multiple default routes, which might cause problems.

To specify a default route

1. At a command prompt, type:

route print




and press ENTER.

2. Verify whether more than one route line has a destination of 0.0.0.0 and whether there is more than one route line with the lowest metric (generally 1).
3. If either is true, delete one of the default routes or verify that one of the default routes has a metric value that is lower than all the others.

© 1985-2000 Microsoft Corporation. All rights reserved.