MM: Cannot ping the MAS server CORP or PRIV IP addresses - No Remote Access

Doc ID    SOLN311132
Version:    2.0
Status:    Published
Published date:    26 Sep 2017
Created Date:    15 Jun 2017
Author:   
Charles Amy
 

Details

Modular Messaging release 3.x, 4.x and 5.x

This problem only affects the MAS servers. The MSS is not running windows.

Cannot ping the MAS Corporate or Private IP addresses.

Since you cannot ping the server, you cannot connect to the MAS server with Remote Desktop RDP.

Problem Clarification

The MAS can only be pinged for seconds after rebooting if at all.
 
The System Event Viewer will display these errors:
IPSec Error None 4292 N/A MASSERVER The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer. For detailed troubleshooting information, review the events in the Security event log.
IPSec Information None 4294 N/A MASSERVER The IPSec driver has entered Secure mode. IPSec policies, if they have been configured, are now being applied to this computer. Cause of problem See Microsoft article http://support.microsoft.com/?kbid=870910. A corrupted file in the policy store causes this problem. An interruption that occurs when the policy is being written to the disk may cause the corruption.

Cause

Cause of problem See Microsoft article http://support.microsoft.com/?kbid=870910. IPSec Policy is corrupted.
A corrupted file in the policy store causes this problem. An interruption that occurs when the policy is being written to the disk may cause the corruption.

Solution

Both solutions below require you be in front of the server logged in using the keyboard and mouse since you cannot access the MAS server via the network since the NIC cards are blocked. The only way around this remotely is if you are running the System Platform release of Modular Messaging and the MAS can be accessed via the VNC workaround tunneling through a putty session to Dom-0 on system platform.  https://kb.avaya.com/kb/index?page=content&id=SOLN236108&actp=SEARCH&actp=search&viewlocale=en_US&searchid=1506444879776
 
- Quick Solution  - WORKAROUND: To temporarily work around this problem, disable the IPSEC Services component, and then reboot the MAS server. Call processing should resume.
 
- Longer Solution - Microsoft's Official IPSEC repair is below:
 
Warning:
Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows registry.

But in general, from Registry Editor, Go to File>Export> Then select a location (D:\Temp is recommended because of its commonality) save as *.reg, using the numeric date for the name. NOTE: It is common that the registry key mentioned in Step 1 below will have already been deleted as part of the corruption. If this is the case then proceed to Step 2. There is no need to manually create the registry subkeys. The procedure in Step 2 will create them.

Also NOTE: When the IPSec policy is corrupted, there will be no remote access. A workaround is available below that will allow access to the system and the MAS server will come back into service but the IPSec policy will be disabled! Windows Server 2003 supports the use of Internet Protocol security (IPSec) to secure communications between computers. IPSec is a cross-platform protocol. Windows Server 2003-based computers use IPSec policies to control which communications must use IPSec. A computer may need for IPSec to secure all communications or only a subset of all communications. Failure to correct the IPSec policy as stated in Step 2 below may compromise the security of your MAS server.


RESOLUTION
Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.To resolve this issue, follow these steps:
1. Delete the local policy registry subkey. To do this, follow these steps:
a. Click Start, click Run, type regedit in the Open box, and then click OK.
b. In Registry Editor, locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
c. On the Edit menu, click Delete.
d. Click Yes to confirm that you want to delete the subkey.
e. Quit Registry Editor
2. Rebuild a new local policy store. To do this, Click Start, click Run, type regsvr32 polstore.dll in the Open box, and then click OK.
3. Verify that the IPSEC Services component is set to automatic, and then restart the MAS Server.
4.
Verify via the System Event viewer that there is an Event 4294 with description "The IPSec driver has entered
Secure mode. IPSec policies, if they have been configured, are now being applied to this computer."

Attachment Description

Example of the Windows System Event

Attachment File


Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy