good afternoon.

recently, our sbs 2k3 is failing to start the ipsec service on restart /
reboot.
from the sbs technet blog :
DNS by default will randomly pick 2500 ports when the service starts up, a
port conflict will occur if the DNS server allocates a port that is
required by another service and that service will fail once it requests
that static UDP port. So far we have seen issues with AUTD, IPSEC, and
IAS but there may be other services that will have a conflict.


is the dns port conflict the only possible reason and editing :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
\ReservedPorts

with :

* 1645-1646 - Used by IAS
* 1701-1701 - Used by L2TP
* 1812-1813 - Used by IAS
* 2883-2883 - Used by AUTD
* 4500-4500 - Used by IPSEC

an approved solution ?? i remember some time ago, ias was also failing on
startup.


found this reference :

http://blogs.technet.com/sbs/archive...s-may-fail-to-
start-or-may-not-work-properly-after-installing-ms08-037-951746-
and-951748.aspx

having this logged message :

If the IPSEC service fails to start, the server will be running in Block
mode and it will block all network connectivity to the server.



In the case of the IAS Service failing to start, you will see the
following event logged in the system event log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description: The Internet Authentication Service Service terminated
with the following error: Only one usage of each socket address (protocol/
network address/port) is normally permitted.

thank you in advance.
pleite.



--
No trees were destroyed in the sending of this message, however, a
significant number of electrons were terribly inconvenienced

"Pedro M. Leite" <pleite@newsgroup> wrote in message
news:OVz%23uxiMKHA.3992@newsgroup

> good afternoon.
>
> recently, our sbs 2k3 is failing to start the ipsec service on restart /
> reboot.
> from the sbs technet blog :
> DNS by default will randomly pick 2500 ports when the service starts up, a
> port conflict will occur if the DNS server allocates a port that is
> required by another service and that service will fail once it requests
> that static UDP port. So far we have seen issues with AUTD, IPSEC, and
> IAS but there may be other services that will have a conflict.
>
>
> is the dns port conflict the only possible reason and editing :
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
> \ReservedPorts
>
> with :
>
> * 1645-1646 - Used by IAS
> * 1701-1701 - Used by L2TP
> * 1812-1813 - Used by IAS
> * 2883-2883 - Used by AUTD
> * 4500-4500 - Used by IPSEC
>
> an approved solution ?? i remember some time ago, ias was also failing on
> startup.
>
>
> found this reference :
>
> http://blogs.technet.com/sbs/archive...s-may-fail-to-
> start-or-may-not-work-properly-after-installing-ms08-037-951746-
> and-951748.aspx
>
> having this logged message :
>
> If the IPSEC service fails to start, the server will be running in Block
> mode and it will block all network connectivity to the server.
>
> In the case of the IAS Service failing to start, you will see the
> following event logged in the system event log:
>
> Event Type: Error
> Event Source: Service Control Manager
> Event Category: None
> Event ID: 7023
> Date: 7/12/2008
> Time: 6:38:37 PM
> User: N/A
> Computer: SERVER
> Description: The Internet Authentication Service Service terminated
> with the following error: Only one usage of each socket address
> (protocol/
> network address/port) is normally permitted.
>
> thank you in advance.
> pleite.
>
>
>
> --
> No trees were destroyed in the sending of this message, however, a
> significant number of electrons were terribly inconvenienced

Pedro ,

See if this helps:

SBS Services failing after MS08-037 - KB951746 and 951748
http://msmvps.com/blogs/thenakedmvp/...nd-951748.aspx


For a full explanation of what the patch does to help reduce the DNS exploit
issue, read the following, please.

The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and Ports
Reservation Explained
http://msmvps.com/blogs/acefekay/arc...explained.aspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

This is an old problem, make sure you add the DNS reservation patch to fix
your IPSec booting issue:

http://msmvps.com/blogs/bradley/arch...revisited.aspx

--
Allan Williams




Pedro M. Leite wrote:

> good afternoon.
>
> recently, our sbs 2k3 is failing to start the ipsec service on
> restart / reboot.
> from the sbs technet blog :
> DNS by default will randomly pick 2500 ports when the service starts
> up, a port conflict will occur if the DNS server allocates a port
> that is required by another service and that service will fail once
> it requests that static UDP port. So far we have seen issues with
> AUTD, IPSEC, and IAS but there may be other services that will have a
> conflict.
>
>
> is the dns port conflict the only possible reason and editing :
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
> \ReservedPorts
>
> with :
>
> * 1645-1646 - Used by IAS
> * 1701-1701 - Used by L2TP
> * 1812-1813 - Used by IAS
> * 2883-2883 - Used by AUTD
> * 4500-4500 - Used by IPSEC
>
> an approved solution ?? i remember some time ago, ias was also
> failing on startup.
>
>
> found this reference :
>
> http://blogs.technet.com/sbs/archive...s-may-fail-to-
> start-or-may-not-work-properly-after-installing-ms08-037-951746-
> and-951748.aspx
>
> having this logged message :
>
> If the IPSEC service fails to start, the server will be running in
> Block mode and it will block all network connectivity to the server.
>
> In the case of the IAS Service failing to start, you will see the
> following event logged in the system event log:
>
> Event Type: Error
> Event Source: Service Control Manager
> Event Category: None
> Event ID: 7023
> Date: 7/12/2008
> Time: 6:38:37 PM
> User: N/A
> Computer: SERVER
> Description: The Internet Authentication Service Service
> terminated with the following error: Only one usage of each socket
> address (protocol/ network address/port) is normally permitted.
>
> thank you in advance.
> pleite.

good afternoon.


thank you all for the input.
i'll read and post back

as a side note, happened this morning, after monthly update cycle.
thank you
-------------------------------
On Thu, 10 Sep 2009 10:25:22 -0600, Al Williams wrote:

> This is an old problem, make sure you add the DNS reservation patch to
> fix your IPSec booting issue:
>
> http://msmvps.com/blogs/bradley/arch...-2003-and-dns-

patch-issues-revisited.aspx





--
No trees were destroyed in the sending of this message, however, a
significant number of electrons were terribly inconvenienced





--
No trees were destroyed in the sending of this message, however, a
significant number of electrons were terribly inconvenienced

"Pedro M. Leite" <pleite@newsgroup> wrote in message
news:%23xFHW3jMKHA.3992@newsgroup

> good afternoon.
>
>
> thank you all for the input.
> i'll read and post back
>
> as a side note, happened this morning, after monthly update cycle.
> thank you

Surprising it happened this morning. That update came out in July, 2008.
Post back with how you make out.

Ace

Good Afternoon.

made the registry changes, applied the kb, rebooted and all started as it
should.

thank you all for your help.
pleite
--------------------------------------


On Thu, 10 Sep 2009 08:36:13 -0700, Pedro M. Leite wrote:

> good afternoon.
>
> recently, our sbs 2k3 is failing to start the ipsec service on restart /
> reboot.
> from the sbs technet blog :
> DNS by default will randomly pick 2500 ports when the service starts up,
> a port conflict will occur if the DNS server allocates a port that is
> required by another service and that service will fail once it requests
> that static UDP port. So far we have seen issues with AUTD, IPSEC, and
> IAS but there may be other services that will have a conflict.
>
>
> is the dns port conflict the only possible reason and editing :
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
> \ReservedPorts
>
> with :
>
> * 1645-1646 - Used by IAS
> * 1701-1701 - Used by L2TP
> * 1812-1813 - Used by IAS
> * 2883-2883 - Used by AUTD
> * 4500-4500 - Used by IPSEC
>
> an approved solution ?? i remember some time ago, ias was also failing
> on startup.
>
>
> found this reference :
>
> http://blogs.technet.com/sbs/archive...ices-may-fail-

to-

> start-or-may-not-work-properly-after-installing-ms08-037-951746-
> and-951748.aspx
>
> having this logged message :
>
> If the IPSEC service fails to start, the server will be running in Block
> mode and it will block all network connectivity to the server.
>
> In the case of the IAS Service failing to start, you will see the
> following event logged in the system event log:
>
> Event Type: Error
> Event Source: Service Control Manager Event Category: None
> Event ID: 7023
> Date: 7/12/2008
> Time: 6:38:37 PM
> User: N/A
> Computer: SERVER
> Description: The Internet Authentication Service Service terminated
> with the following error: Only one usage of each socket address
> (protocol/ network address/port) is normally permitted.
>
> thank you in advance.
> pleite.

--
No trees were destroyed in the sending of this message, however, a
significant number of electrons were terribly inconvenienced





--
No trees were destroyed in the sending of this message, however, a
significant number of electrons were terribly inconvenienced

"Pedro M. Leite" <pleite@newsgroup> wrote in message
news:%23oDan0vMKHA.2036@newsgroup

Good to hear. You are welcome!

Ace

> Good Afternoon.
>
> made the registry changes, applied the kb, rebooted and all started as it
> should.
>
> thank you all for your help.
> pleite
> --------------------------------------
>
>
> On Thu, 10 Sep 2009 08:36:13 -0700, Pedro M. Leite wrote:
>

>> good afternoon.
>>
>> recently, our sbs 2k3 is failing to start the ipsec service on restart /
>> reboot.
>> from the sbs technet blog :
>> DNS by default will randomly pick 2500 ports when the service starts up,
>> a port conflict will occur if the DNS server allocates a port that is
>> required by another service and that service will fail once it requests
>> that static UDP port. So far we have seen issues with AUTD, IPSEC, and
>> IAS but there may be other services that will have a conflict.
>>
>>
>> is the dns port conflict the only possible reason and editing :
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
>> \ReservedPorts
>>
>> with :
>>
>> * 1645-1646 - Used by IAS
>> * 1701-1701 - Used by L2TP
>> * 1812-1813 - Used by IAS
>> * 2883-2883 - Used by AUTD
>> * 4500-4500 - Used by IPSEC
>>
>> an approved solution ?? i remember some time ago, ias was also failing
>> on startup.
>>
>>
>> found this reference :
>>
>> http://blogs.technet.com/sbs/archive...ices-may-fail-

> to-

>> start-or-may-not-work-properly-after-installing-ms08-037-951746-
>> and-951748.aspx
>>
>> having this logged message :
>>
>> If the IPSEC service fails to start, the server will be running in Block
>> mode and it will block all network connectivity to the server.
>>
>> In the case of the IAS Service failing to start, you will see the
>> following event logged in the system event log:
>>
>> Event Type: Error
>> Event Source: Service Control Manager Event Category: None
>> Event ID: 7023
>> Date: 7/12/2008
>> Time: 6:38:37 PM
>> User: N/A
>> Computer: SERVER
>> Description: The Internet Authentication Service Service terminated
>> with the following error: Only one usage of each socket address
>> (protocol/ network address/port) is normally permitted.
>>
>> thank you in advance.
>> pleite.

>
>
>
>
>
> --
> No trees were destroyed in the sending of this message, however, a
> significant number of electrons were terribly inconvenienced
>
>
>
>
>
> --
> No trees were destroyed in the sending of this message, however, a
> significant number of electrons were terribly inconvenienced