IPSec troubleshooting tools

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting tools

This topic provides information about the following IPSec troubleshooting tasks and the troubleshooting tools that you can use to perform each of these tasks:

  • Viewing IPSec policy assignment information

  • Viewing details about the active IPSec policy and IPSec statistics

  • Viewing details about the active IPSec policy and IPSec statistics in IP Security Monitor

  • Verifying that security auditing is enabled

  • Viewing IPSec-related events in Event Viewer

  • Enabling detailed tracing for Internet Key Exchange (IKE) negotiations

  • Viewing IPSec and other network communication with Network Monitor

  • Using Netsh to change the IPSec configuration on computers running the Windows Server 2003 family

  • Using Ipseccmd.exe to manage and monitor IPSec on computers running Windows XP

  • Using Netdiag.exe to display IPSec information and to test and view network configuration

  • Disabling TCP/IP and IPSec hardware acceleration

Details about each of these subjects are provided in the following sections.

Notes

  • For general recommended practices that can help you enhance security and minimize the potential for problems when deploying IPSec, see IPSec Best practices.

  • For the Windows Server 2003 family, the Netsh commands for IPSec replace and enhance the functionality provided by Netdiag.exe and Ipseccmd.exe. For information about how to use Netsh to script IPSec policy creation and to monitor IPSec activity, see Netsh commands for Internet Protocol security.

  • Ipseccmd.exe is a support tool that is provided only on the Windows XP CD. To install this tool, run the Setup.exe file from the Support\Tools folder. You can use this tool to manage and monitor IPSec policies only on computers running Windows XP. For more information about Ipseccmd.exe, see the Microsoft Tech Net Web site.

Netdiag.exe is available in the Windows Server 2003 family, Windows XP, and in Windows 2000, as follows:

  • In the Windows Server 2003 family, run the Suptools.msi file from the \Support\Tools folder on the Windows Server 2003 family CD (select the Complete setup option). Although you can still use this version of Netdiag.exe to obtain basic networking information that is not IPSec-specific, the Netsh commands for IPSec replace all IPSec-specific functionality.

  • In Windows XP, run the Setup.exe file from the \Support\Tools folder on the Windows XP CD (select the Complete setup option).

  • For Windows 2000, an updated version of Netdiag.exe is available for download from the Web. For more information, see "Windows 2000 Resource Kits," at the Microsoft Windows Resource Kits Web site.

For more information about Netdiag.exe, see Using Netdiag.exe to display IPSec information and to test and view network configuration in this topic.

Viewing IPSec policy assignment information

Viewing the name of an active IPSec policy and the name of the Group Policy object to which the active IPSec policy is assigned can be useful for troubleshooting policy precedence issues. The following table summarizes the tools that you can use to view this information for the Windows Server 2003 family, Windows XP, and Windows 2000.

On computers running Use these tools to view the name of the active IPSec policy Use these tools to view the name of the Group Policy object to which the active IPSec policy is assigned

Windows Server 2003 family

Windows XP

  • IP Security Policy Management console (for local policies only).

  • Network Connectivity Tester (Netdiag.exe), netdiag /test:ipsec command.

    For more information, see Using Netdiag.exe to display IPSec information and to test and view network configuration in this topic.

  • Netdiag.exe, netdiag /test:ipsec command.

Windows 2000

  • Netdiag.exe, netdiag /test:ipsec command.

  • In the properties for the relevant network connection, TCP/IP Properties/Advanced/Options/IPSec.

    The assigned IPSec policy that is displayed in TCP/IP Properties is global. It is not specific to the connection.

  • Netdiag.exe, netdiag /test:ipsec command.

  • Gpresult.exe (Group Policy Results).

  • Gpotool.exe (Group Policy Verification Tool).

    Gpresult.exe and Gpotool.exe are both available for download from the Web. For more information, see "Windows 2000 Resource Kits," at the Microsoft Windows Resource Kits Web site.

Notes

  • To view all IPSec policies that are available (but not necessarily assigned or applied) to computers, use the IP Security Policy Management console. For information about policy precedence and IPSec policy behavior in an Active Directory environment, see the section "Active Directory-based policy" in Creating, modifying, and assigning IPSec policies.

  • For the Windows Server 2003 family, to determine which IPSec policies are assigned but are not being applied to IPSec clients, use the RSoP console.

  • The Windows XP implementation of the RSoP console does not support the display of IPSec policies. In addition, the gpresult /scope computer command does not display the Group Policy object that contains an IPSec policy assignment. For these reasons, you should use Netdiag.exe to view IPSec policy assignment information on computers running Windows 2000 or Windows XP. The netdiag /test:ipsec command displays the Group Policy object that contains the IPSec policy assignment, and the organizational unit to which the Group Policy object is assigned.

  • Gpotool.exe allows you to monitor the health of Group Policy objects on domain controllers. You can use this tool to check the consistency and replication of Group Policy objects and to display Group Policy object properties. Gpotool.exe is available only for computers running Windows 2000.

Viewing details about the active IPSec policy and IPSec statistics

The IP Security Policy Management console, Netdiag.exe, Gpresult.exe, and Gpotool.exe allow you to determine which IPSec policy has been assigned through Group Policy. After you verify this information, you might need to view details about the assigned IPSec policy and IPSec statistics (for example, filters, filter actions, and active security associations). The following table summarizes the tools that you can use to view an active IPSec policy and IPSec statistics for the Windows Server 2003 family, Windows XP, and Windows 2000.

On computers running Use these tools to display the active IPSec policy, IPSec statistics, or both Notes

Windows Server 2003 family

  • To view details about the active IPSec policy and IPSec statistics on a local or remote computer, you must be a member of the Administrators group on that computer.

Windows XP

  • IP Security Monitor console.

  • IPseccmd.exe, ipseccmd show all command.

  • To view details about the active IPSec policy and IPSec statistics for a local or remote computer, you must be a member of the Administrators group on that computer.

Windows 2000

  • Netdiag.exe, netdiag /test:ipsec /v /debug command.

  • Ipsecmon.exe.

  • To use the /debug option, you must be logged on as a member of the Administrators group on that computer. In addition, to view details about Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory.

  • Ipsecmon.exe only displays active outbound quick mode security associations (SAs).

Note

  • To remotely monitor IPSec on a computer that is running a different version of Windows than your computer, use Remote Desktop Connection. For example, if your computer is running the Windows Server 2003 family and you plan to remotely monitor IPSec on computers running Windows 2000 or Windows XP, use Remote Desktop Connection to gain remote access to these computers. For information about Remote Desktop Connection, see Remote Desktop Connection.

Viewing details about the active IPSec policy and IPSec statistics in IP Security Monitor

In Windows XP and the Windows Server 2003 family, IP Security Monitor is implemented as a Microsoft Management Console (MMC) snap-in, and it includes enhancements that allow you to view details about an active IPSec policy that is applied by the domain or locally, as well as quick mode and main mode statistics, and active IPSec SAs. IP Security Monitor also enables you to search for specific main mode or quick mode filters. To troubleshoot complex IPSec policy designs, you can use IP Security Monitor to search for all matches for filters of a specific traffic type.

Notes

  • You can use IP Security Monitor to monitor only computers that are running Windows XP or the Windows Server 2003 family. In addition, the computer that is being monitored must run the same version of the Windows operating system as the computer on which IP Security Monitor is running. To monitor IPSec on a computer that is running Windows 2000, use the ipsecmon command at the Windows 2000 command prompt on the computer that is being monitored.

  • For remote monitoring, you can use IP Security Monitor only to monitor computers that are running the same version of the Windows operating system. To remotely monitor IPSec on a computer that is running a different version of Windows than your computer, use Remote Desktop Connection. For information about Remote Desktop Connection, see Remote Desktop Connection.

  • If your computer is running the Windows Server 2003 family, and you plan to monitor IPSec on computers that are also running the Windows Server 2003 family, you can run IP Security Monitor or use the Netsh command-line tool remotely.

Verifying that security auditing is enabled

You can use Local Security Policy settings (for a local computer) or Group Policy Object Editor (for a domain) to verify that security auditing is enabled, so you can ensure that the success and failure of IKE negotiations is recorded. Auditing for IKE is supported in Windows 2000, Windows XP, and the Windows Server 2003 family (IKE uses the Logon Events category). In the Windows Server 2003 family, you can also enable auditing for the security policy database (SPD). SPD uses the Policy Change category. For more information, see Define or modify auditing policy settings for an event category.

You can use Event Viewer to view the following IPSec-related events:

IKE events (negotiation success and failure) in the security log.

To view these events, enable success or failure auditing for the Audit logon events audit policy for your domain or local computer. The IKE event category is also used for auditing user logon events in services other than IPSec. For more information, see Define or modify auditing policy settings for an event category.

When you enable success or failure auditing for the Audit logon events audit policy, IPSec records the success or failure of each main mode and quick mode negotiation and the establishment and termination of each negotiation as separate events. However, enabling this type of auditing can cause the security log to fill with IKE events. For example, for servers that are connected to the Internet, attacks on the IKE protocol can cause the security log to fill with IKE events. IKE events can also fill the security log for servers that use IPSec to secure traffic to many clients. To avoid this, you can disable auditing for IKE events in the security log by modifying the registry.

  • To disable auditing of IKE events in the security log, do the following:

    1. Set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\DisableIKEAudits registry setting to a value of 1.

      The DisableIKEAudits key does not exist by default and must be created.

    Caution

    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
    1. Restart the computer, or stop and then restart the IPSec service by running the net stop policyagent and net start policyagent commands at the command prompt.

    Note

    • Stopping and restarting the IPSec service can disconnect all of the computers that are using IPSec from the computer on which the IPSec service is stopped, and it can prevent further communication with that computer. If you restart the IPSec service immediately, TCP-based communication might resume, due to the retransmit behavior of TCP, after new IKE and IPSec SAs are established. For more information, see "Stopping and restarting the IPSec service," later in this topic.

IPSec policy change events in the Security log.

To view these events, enable success or failure auditing for the Audit policy change audit policy for your domain or local computer. For more information, see Define or modify auditing policy settings for an event category.

IPSec driver per-packet drop events in the System log.

In Windows 2000, Windows XP, and the Windows Server 2003 family, you can enable packet event logging for the IPSec driver by modifying the registry. The IPSec driver reads the registry during computer startup. In the Windows Server 2003 family, you can enable packet event logging for the IPSec driver by using the Netsh ipsec command-line tool. To enable logging of dropped inbound and outbound packets, specify a value of 7. For information about the other levels of IPSec driver event logging, see Notes.

  • To enable IPSec driver logging of dropped inbound and outbound packets by modifying the registry, do the following:

    1. Set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec\EnableDiagnostics DWORD registry setting to a value of 7.

    Caution

    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
    1. Restart the computer.
  • To enable IPSec driver logging of dropped inbound and outbound packets by using the Netsh IPSec command-line tool in the Windows Server 2003 family, do the following:

    1. At the command prompt, type: netsh ipsec dynamic set config ipsecdiagnostics 7

    2. Restart the computer.

You can also change the interval for writing IPSec driver packet events to the System log. By default, the IPSec driver writes events to the System log once an hour or after a threshold for the number of events has been reached. For troubleshooting, you should set this interval to the minimum value, 60 seconds.

  • To change the interval for writing IPSec driver packet events by modifying the registry, do the following:

    1. Set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec\LogInterval DWORD registry setting to 60 decimal.

    Caution

    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
    1. Restart the computer.
  • To change the interval for writing IPSec driver packet events by using the Netsh ipsec command-line tool in the Windows Server 2003 family, do the following:

    1. At the command prompt, type netsh ipsec dynamic set config ipsecloginterval 60

    2. Restart the computer.

The IPSec driver reads the registry during computer startup.

By default, packet event logging for the IPSec driver is disabled (that is, the value is set to 0). When you enable packet event logging for the IPSec driver, you can specify any of the following values, to enable different levels of logging:

Logging Level Description

1

When 1 is specified, bad SPI packets (the total number of packets for which the Security Parameters Index or SPI was incorrect), IKE negotiation failures, IPSec processing failures, packets received with invalid packet syntax, and other errors are recorded in the System log. Unauthenticated hashes (with the exception of the "Clear text received when should have been secured" event) are logged as well.

2

When 2 is specified, inbound per-packet drop events are recorded in the System log.

3

When 3 is specified, level 1 and level 2 logging are performed. In addition, unexpected clear text events (packets that are sent or received in plaintext) are also recorded.

4

When 4 is specified, outbound per-packet drop events are recorded in the System log.

5

When 5 is specified, level 1 and level 4 logging are performed.

6

When 6is specified, level 2 and level 4 logging are performed.

7

When 7 is specified, all levels of logging are performed.

For more information about IPSec driver event logging, see the Microsoft Windows Resource Kits Web site.

You cannot configure audit policies on a computer running Windows XP Home Edition. However, success and failure auditing for the Audit logon events and Audit policy change audit policies for the local computer are enabled by default.

Enabling auditing in the security log or IPSec driver diagnostics in the system log can cause these logs to fill with events quickly. Before you perform either of these tasks, you should do the following:

  • Ensure that the size of the log is at least 10 megabytes (MB).

  • Save the existing log to a file.

  • Clear all events in the log so that the log is empty.

  • Consider disabling auditing of IKE events in the security log by modifying the registry, if your computer hosts many simultaneous network connections.

Enabling detailed tracing for Internet Key Exchange (IKE) negotiations

Enabling audit logging for IKE events and viewing the events in Event Viewer is the fastest and simplest way to troubleshoot failed main mode or quick mode negotiations. However, some scenarios might require a more detailed analysis of the IKE main mode negotiation and quick mode negotiations for troubleshooting. You can enable tracing for IKE negotiations if the audit failure events do not provide enough information. The IKE tracing log is a very detailed log intended for troubleshooting IKE interoperability under controlled circumstances. Expert knowledge of the ISAKMP RFC 2408 and IKE RFC 2409 is required to interpret this log.

The IKE tracing log appears as the systemroot\Debug\Oakley.log file. The log has a fixed size of 50,000 lines and will overwrite as necessary. A new Oakley.log file is created each time the IPSec service is started and the previous version of the Oakley.log file is saved as Oakley.log.sav. When the Oakley.log file becomes full, the current file is saved as Oakley.log.bak, and a new Oakley.log file is created.

Because many IKE negotiations can occur simultaneously, you should minimize the number of negotiations and log for as short a period of time as possible to capture a more easily interpreted log.

Enabling and disabling the IKE tracing log in the Windows Server 2003 family

In the Windows Server 2003 family, you can enable or disable the IKE tracing log dynamically while the IPSec service is running by doing the following:

  • To enable the IKE tracing log, type the following at the command prompt:

    netsh ipsec dynamic set config ikelogging 1

    This command creates the IKE tracing log file if it does not exist. If the file does exist, it appends logging information to the existing file.

  • To disable the IKE tracing log, type the following at the command prompt:

    netsh ipsec dynamic set config ikelogging 0

Enabling the IKE tracing log in Windows 2000 and Windows XP

In Windows 2000 and Windows XP, you must enable IKE tracing by modifying the registry. For the changes to take effect, you must also stop and restart the IPSec service:

  • To enable the IKE tracing log in Windows XP and Windows 2000, do the following:

    1. Set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLoggingDWORD registry setting to a value of 1.

      The Oakley key does not exist by default and must be created.

    Caution

    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
    1. Stop and start the IPSec service by running the net stop policyagent and net start policyagent commands at the command prompt.

Stopping and restarting the IPSec service

Stopping and restarting the IPSec service can disconnect all of the computers that are using IPSec from the computer on which the IPSec service is stopped, and it can prevent further communication with that computer. However, if you restart the IPSec service immediately, TCP-based communication might resume, due to the retransmit behavior of TCP, after new IKE and IPSec SAs are established. If you leave the IPSec service stopped, any clients that used the default response rule to establish security will be unable to communicate with this computer for two hours.

To avoid losing Terminal Services connectivity for computers that are using IPSec over a Terminal Server session, you must stop and restart the IPSec service by using a single command line:

  • To stop and restart the IPSec service for computers over a Terminal Server session

    • At the command prompt, type the following:

      net stop policyagent & net start policyagent

If you are restarting the IPSec service while an L2TP/IPSec VPN tunnel is connected, the tunnel will lose connectivity and must be reconnected when the IPSec service is restarted. A PPTP tunnel, however, does not use IPSec and therefore will stay connected if you stop the IPSec service.

If you are restarting the IPSec service on a computer that is running the Windows Server 2003 family or the Windows Server 2003 family and that is also running the Routing and Remote Access service, any IPSec configuration for L2TP will be lost and the L2TP tunnels will be disconnected. Therefore, you must stop and restart the Routing and Remote Access service, as well as the IPSec service.

  • To stop and restart the IPSec service and the Routing and Remote Access service, do the following:

    1. Stop the Routing and Remote Access service using the net stop remoteaccess command.

    2. Stop the IPSec service by using the net stop policyagent command.

    3. Start the IPSec service by using the net start policyagent command.

    4. Start the Routing and Remote Access service using the net start remoteaccess command.

Viewing IPSec and other network communication with Network Monitor

You can install and use Network Monitor to view IPSec and other network communication. Note that the version of Network Monitor that is provided with the Windows Server 2003 family can be used only to view the network traffic that is sent to or from the computer on which it is installed. To view network traffic that is sent to or from another computer and is routed through your computer (using the Routing and Remote Access service), you must use the Network Monitor component that is provided with Microsoft Systems Management Server.

The Network Monitor component that is provided with the Windows Server 2003 family includes parsers for the ISAKMP (IKE), AH, and ESP protocols. The Network Monitor parsers for ESP can parse inside the ESP packet only if null-encryption is being used and the full ESP packet is captured. Network Monitor cannot parse the encrypted portions of IPSec-secured ESP traffic when encryption is performed in software. However, if encryption is being performed by an IPSec hardware offload network adapter, the ESP packets are decrypted when Network Monitor captures them and as a result, can be parsed and interpreted into the upper-layer protocols. If you need to diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPSec policy on both computers.

Notes

  • For information about how to install the version of Network Monitor that is provided with the Windows Server 2003 family, see Install Network Monitor.

  • For information about Systems Management Server, go to the Microsoft Web site.

Using Netsh to change the IPSec configuration on computers running the Windows Server 2003 family

For computers running the Windows Server 2003 family, you can use the Netsh commands for IPSec to script IPSec policy creation, display details about IPSec policies, and change the IPSec configuration for troubleshooting.

For troubleshooting, you can use the Netsh commands for IPSec to change the following settings:

Disable Internet Key Exchange (IKE) certificate revocation list (CRL) checking

By default, in Windows 2000 CRLs are not checked during IKE certificate authentication. In Windows XP and the Windows Server 2003 family, CRLs are checked during IKE certificate authentication, but a fully successful check is not required for the certificate to be accepted. In some cases, failures during CRL processing might cause IKE to not accept the certificate. Or, the delay required for CRL checking might delay IKE negotiation enough to cause the connection attempt to time-out. To determine whether certificate authentication will be successful without CRL checking, you can disable IKE CRL checking. To do this, type the following at the command prompt:

netsh ipsec dynamic set config strongcrlcheck 0

This setting takes effect immediately. It does not require a restart.

Enable IPSec driver event logging

To record all inbound and outbound dropped packets and other packet processing errors in the Event Viewer System log, you can set the IPSec driver event logging level to 7. To do this, type the following at the command prompt:

netsh ipsec dynamic set config ipsecdiagnostics 7

This setting will not take effect until you restart your computer.

Notes

  • If you configured an IPSec filter action on a computer to block traffic, setting the IPSec driver event logging level to 7 on that computer might generate many events that fill the System log very quickly. Accordingly, you should set the IPSec driver event logging level to 7 only for testing.

  • All packets that are dropped by IPSec contribute to the Datagrams Received Discarded or Datagrams Outbound Discarded System Monitor counters for the IP object. IPSec itself does not provide a counter object. You can monitor IPSec performance counters manually by using IP Security Monitor.

Permit inbound and outbound traffic during computer startup

To permit inbound and outbound traffic during computer startup (before the IPSec service starts), you can use the following Netsh command:

netsh ipsec dynamic set config bootmode permit

This setting will not take effect until you restart your computer.

Note

  • If you start the computer in Safe Mode with Networking, the IPSec service will not start and cannot retrieve IPSec policy settings from Active Directory or the local registry, and persistent policy cannot be applied. As a result, inbound and outbound traffic will continue to be permitted until the computer is no longer in Safe Mode.

Exempt all broadcast, multicast, IKE, Kerberos, and RSVP traffic from IPSec filtering

In Windows 2000 and Windows XP, by default, the IPSec driver exempts all broadcast, multicast, IKE, Kerberos, and RSVP traffic from IPSec filtering. In the Windows Server 2003 family, only IKE traffic is exempt from IPSec filtering, and you can configure, block, or permit filter actions specifically for multicast and broadcast traffic (IPSec does not negotiate SAs for multicast and broadcast traffic). To restore the IPSec driver to the default Windows 2000 and Windows XP filtering behavior, you can use the following Netsh command:

netsh ipsec dynamic set config ipsecexempt 0

This setting will not take effect until you restart your computer.

Caution

  • The Windows 2000 and Windows XP default exemption settings for IPSec are designed for corporate LAN environments with a low risk of attack. For this reason, you should use only the Windows 2000 and Windows XP default exemption settings when necessary for troubleshooting, in low-risk environments, or when you cannot solve program compatibility issues by configuring explicit filters in IPSec policies.

You can also exempt all broadcast, multicast, IKE, Kerberos, and RSVP traffic from IPSec filtering by modifying the registry as follows:

  1. Set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt DWORD registry setting to a value of 0.

  2. The NoDefaultExempt key does not exist by default and must be created.

    Caution

    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer
  3. Restart the computer.

Using Ipseccmd.exe to manage and monitor IPSec on computers running Windows XP

For computers running Windows XP, you can use the Ipseccmd.exe command-line tool to script IPSec policy creation and to display IPSec policy assignments, active SAs, and detailed IPSec policy settings, including filters, filter actions, and authentication methods. Ipseccmd.exe replaces and enhances the functionality provided by the Ipsecpol.exe (used in Windows 2000 for scripting IPSec policy creation) and the Netdiag.exe /test:ipsec /v /debug command (used in Windows 2000 to display configuration information and SAs for an active IPSec policy).

To install Ipseccmd.exe on a computer running Windows XP, run the Setup.exe file from the \Support\Tools folder on the Windows XP CD.

Notes

  • Ipseccmd.exe is provided only with Windows XP, and you can use this tool to manage and monitor IPSec policies only on computers running Windows XP.

  • To display all IPSec policy settings and statistics for diagnostics, use the ipseccmd show all command.

Using Netdiag.exe to display IPSec information and to test and view network configuration

You can use the Netdiag.exe command-line tool to display information about IPSec policies and statistics, report network configuration, and test basic networking capabilities and domain-based functionality. The following table describes how to install Netdiag.exe and provides information about functional changes relevant to IPSec for each version of this tool.

On computers running Use this method to install Notes

Windows Server 2003 family

For the Windows Server 2003 family, Netdiag.exe is available for installation from the Windows Server 2003 family CD (run the Suptools.msi file from the \Support\Tools folder, and choose the Complete setup option.

  • Although you can still use Netdiag.exe to obtain basic networking information that is not IPSec-specific, for the Windows Server 2003 family, the netdiag /test:ipsec option has been removed, and the Netsh commands for IPSec replace all IPSec-specific functionality. To view details about IPSec policies, use either the netsh ipsec static show command or the netsh ipsec dynamic show command.

Windows XP

For Windows XP, Netdiag.exe is available for installation from the Windows XP CD (run the Setup.exe file from the \Support\Tools folder, and choose the Complete setup option).

  • Displays information about IPSec policy assignments, including the name of the active IPSec policy, the name of the Group Policy object that assigned the policy, and the policy path.

  • The display of detailed IPSec policy information and IPSec statistics (provided by the /debug and /v options in Windows 2000) is not supported in Windows XP. Instead, to view details about IPSec policies, use the Ipseccmd.exe show command.

Windows 2000

For Windows 2000, an updated version of Netdiag.exe is available for download from the Web. For information, see "Windows 2000 Resource Kits," at the Microsoft Windows Resource Kits Web site.

  • Netdiag.exe was enhanced in Windows 2000 Service Pack 1 to display the number of bytes offloaded by the IPSec driver to a network adapter that is capable of IPSec hardware offload. The hardware offload statistics are Offloaded Bytes Sent and Offloaded Bytes Received.

  • To use the /debug option to view details about Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory.

You can use the netdiag /v /l command to obtain networking information that is not IPSec-specific, for any platform. Typical uses of these options include:

  • Reporting the IP configuration and routing configuration for a computer with one command.

  • Testing WINS and DNS name resolution and consistency.

  • Reporting the build version of a computer and the hotfixes that are installed on that computer.

  • Testing the validity of domain membership, whether domain members can successfully contact domain controllers, and trust relationships.

The /l option generates a Netdiag.log file. This file is written to the folder in which Netdiag.exe is run.

Notes

  • To run all Netdiag.exe commands, you must be a member of the Administrators group on the local computer.

  • Each version of Netdiag.exe is customized to run on a different version of the Windows operating system (that is, Windows 2000, Windows XP, or the Windows Server 2003 family). You can only run Netdiag.exe on a computer that is running the Windows operating system for which Netdiag.exe has been specifically designed.

  • If you are running a version of Netdiag.exe that is designed for Windows 2000 or Windows XP in a Windows Server 2003 domain, Netdiag.exe might not report the correct operating system version of the domain.

  • If you run Netdiag.exe on a computer that is assigned an IPSec policy that affects most inbound and outbound IP traffic on that computer, Netdiag.exe might not report results correctly the first time it is run. This is because it might take a few seconds for IPSec to establish SAs to the many remote computers for which Netdiag.exe tests connectivity. If this occurs, wait five seconds, and then run Netdiag.exe again.

Disabling TCP/IP and IPSec hardware acceleration

Network adapters can accelerate IPSec processing by performing hardware offload of IPSec cryptographic functions (IPSec offload) and the calculation of TCP checksums (checksum offload). Such adapters might also process large TCP segments for very fast transmission (large-send offload). By default, when a network adapter driver that can perform hardware offload is enabled during the Plug and Play initialization process, the driver advertises this capability to TCP/IP and IPSec. TCP/IP and IPSec then offload tasks to the network adapter driver as appropriate.

If you use network adapters to perform hardware offload of IPSec cryptographic functions, you might need to verify that hardware acceleration is not causing problems with the packet processing that is performed by the network adapter. To do so, you can:

  • Disable hardware offload functions in the network adapter driver (if this function is supported by the driver). This task does not require you to restart the computer.

  • Disable TCP/IP and IPSec hardware acceleration. This task requires you to restart the computer.

  • Disable only IPSec hardware acceleration. This task requires you to restart the computer.

Disabling hardware offload functions in the network adapter driver

To determine whether you can disable hardware offload functions in the network adapter driver, do one of the following:

  • Open Device Manager, click Network Adapters, right-click the network adapter whose properties you want to view, and then click Properties. For more information, see Change network adapter settings

  • Open Network Connections, right-click the network adapter that you want to view, click Properties, and then, on the General tab, click Configure.

Disabling TCP/IP and IPSec hardware acceleration

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To disable both TCP/IP and IPSec hardware acceleration by modifying the registry, do the following:

  1. Set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload DWORD registry setting to a value of 1.

    Caution

    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
  2. Restart the computer.

If the DisableTaskOffload DWORD registry setting is set to a value of 0, and if the network adapter advertises hardware offload capabilities, IPSec and TCP/IP will attempt to offload the appropriate functions to the network adapter.

Disable only IPSec hardware acceleration

To disable only IPSec hardware acceleration by modifying the registry, do the following:

  1. Set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\EnableOffload DWORD registry setting to a value of 0.

    Caution

    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
  2. Restart the computer.

Note

  • To help minimize the potential for hardware acceleration to cause problems with packet processing performed by the network adapter, make sure that you use the latest network adapter driver available from the vendor.