IP Security Transport Mode with Encryption May Drop Fragmented Packets (309304)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Professional SP2
This article was previously published under Q309304

SYMPTOMS

In Windows 2000 Service Pack 2, IP Security (IPSec) Transport Mode with encryption may drop fragmented traffic, for example, Internet Control Message Protocol (ICMP) and User Datagram Protocol (UDP) packet traffic. Transmission Control Protocol (TCP) is generally not affected.

CAUSE

This issue occurs when IPSec Transport Mode is used to secure domain controllers by forcing Kerberos to be protected by IPSec. The issue occurs because Kerberos uses UDP port 88 (Kerberos can use TCP if needed).

This issue does not affect L2TP/IPSec connections.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:
   Date         Time   Version        Size     File name
   --------------------------------------------------
   26-Sep-2001  23:11  5.0.2195.3951  121,936  Afd.sys
   04-Aug-2001  12:14  5.0.2195.4055   87,824  Hotfix.exe
   04-Oct-2001  20:29                  26,118  Hotfix.inf
   04-Oct-2001  20:24  5.0.2195.3952  106,256  Msafd.dll
   30-May-2001  03:03  5.0.2195.3649    3,584  Spmsg.dll
   27-Sep-2001  16:06  5.0.2195.4429  312,688  Tcpip.sys
   30-Jul-2001  23:15  5.0.2195.3988   16,240  Tdi.sys
   04-Oct-2001  20:24  5.0.2195.3649   17,680  Wshtcpip.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

MORE INFORMATION

ICMP is a network-layer (ISO/OSI level 3) Internet protocol that provides error correction and other information that is relevant to Internet Protocol (IP) packet processing. For example, ICMP enables the IP software on one computer to inform another computer about an unreachable destination.

UDP is the connectionless protocol within TCP/IP that corresponds to the transport layer in the ISO/OSI model. UDP converts program-generated data messages into packets to send through IP, but UDP does not verify that a message is successfully delivered. Because UDP is more efficient than TCP, UDP is used for various purposes, including Simple Network Management Protocol (SNMP); the reliability of UDP depends on the program that generates the message.

ESP is a standard for providing integrity and confidentiality to IP datagrams. In some circumstances, ESP can also provide authentication to IP datagrams.

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB309304
©2004 Microsoft Corporation. All rights reserved.