VMware Horizon Community
jamesbrigham1
Contributor
Contributor

View 5.1 Security Server IPSec Setup Fail

We are trying to install a View 5.1 Security server in our environment and after we enter in the Connection server information and pairing password, the setup fails with error 28083.  The logs generated state that "Error:Failed to get a successful response from the connection server".

Any assistance would be greatly appreciated.

Reply
0 Kudos
17 Replies
Linjo
Leadership
Leadership

Do you have port 500/UDP open beteween the Connection broker and the Security server?

This is new from View 5.1

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
jamesbrigham1
Contributor
Contributor

I do have the additional firewall port for UDP 500 opened on both the Connection and Security servers.  Log file still states the same, "Failed to get  a successful reponse from the connection server after IPSec setup."

Thank you for your continued assistance.

Reply
0 Kudos
Linjo
Leadership
Leadership

Do you have a firewall between the connection broker and security server? Maybe you have not allowed IP Protocol 50 (ESP)?

Its needed for the IPSEC-tunnel to be able to connect.

Look for dropped packets in the firewall. (dropped packets for IP 50)

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
jamesbrigham1
Contributor
Contributor

Unfortunately the problem persists.  This is a lab environment so they both are on the same vlan, and the firewall on both servers are opened to any/any, but the error still states that it cannot get a successful response from the connection server after IPsec setup.

Thoughts?

Reply
0 Kudos
kshaf
Contributor
Contributor

I am fighting with this issue myself...  I tried to eliminate the firewall as an issue by pairing inside first, but receive the same result.

Reply
0 Kudos
jamesbrigham1
Contributor
Contributor

I still haven't figured out what on the Connection Server is causing this.  Initially the issue was on the Security Server but I corrected that by adding the Domain Admins to the Cryptographic Operators group on the domain.  But, again, this did not correct the Connection Server response issue.  I'm thinking it's a STiG setting.

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

The Security Server doesn't need to be on the domain. Make sure the firewall is on on the CS and SS.

If there is an external firewall between the two, check the installation guide to make sure both of the new rules are applied, and if there is NAT between the two, make sure the NAT rules are also correct.

Page 59 here http://pubs.vmware.com/view-51/topic/com.vmware.ICbase/PDF/view-51-installation.pdf is important for external firewall rules.

Page 372 here http://pubs.vmware.com/view-51/topic/com.vmware.ICbase/PDF/view-51-administration.pdf is important if you've tried pairing and it failed.

Mark

Reply
0 Kudos
beckerbroom
Contributor
Contributor

For the pairing invalid message, page 52 is the correct page.  In the note it states:

NOTE You cannot pair an older version of security server with the current version of View Connection Server.
If you configure a pairing password on the current version of View Connecton Server and try to install an older
version of security server, the pairing password will be invalid.

Reply
0 Kudos
squevill
Contributor
Contributor

Hi,  I get the same error.  The vminst.log files says:

IPSecRoles: Found 0 entries

ERROR: Failed to verify quick mode security associations after IPsec setup...

Earlier in the log file, there is an entry stating:

IPsec rule added - netsh command returned - Ok.

(full log file attached below)

I have enabled the Windows Firewall with Advanced Security on both the Connection and Security servers.  They are both in the same network subnet (this is a test lab) so there is not firewall in between them.  I am install View connection server 5.1.1.

Anybody knows how to fix this?

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

The IPsec rules have failed in your setup.

Page 372 here http://pubs.vmware.com/view-51/topic/com.vmware.ICbase/PDF/view-51-administration.pdf is important if you've tried pairing and it failed.

Do this and retry.

Thanks.

Mark

Reply
0 Kudos
squevill
Contributor
Contributor

Mark, I have tried that (a few times to ensure I did not miss anything) and I still get the same error.

Reply
0 Kudos
kshaf
Contributor
Contributor

I finally figured out this issue from our end.. after verifiying everything was exact port/protocol requirement wise I decided to eliminate factors that were unique to our enviroment.  Our issue came down to a group policy setting.  Once I put the comp object in an OU without any GP's applied it worked without issue.  I have still yet been unable to verify exactly what setting was causing the IPSec pairing failure however it is now working without issue for us.

I will try to report back with more findings.

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

Thanks for this additional info.

I have become aware that if anything turns off the firewall or disables IPsec at either end, or blocks any of the required ports the Microsoft IPsec setup fails.

In the general case, this works every time and since the release of 5.1 in May, there have been very few problems with IPsec setup. I do appreciate though that it is quite hard to diagnose problems where the firewall has been modified outside of View.

Mark

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

Is it possible that you have a GPO setting that is preventing Microsoft IPsec from working?

We have seen a situation where "Apply local connection security rules" setting was set to "No" and this meant that IPsec can't be enabled in the firewall.

I'd like to understand the reason for this not working in your environment as we may be able to improve the error message when this is detected.

Thanks.

Mark

Reply
0 Kudos
kshaf
Contributor
Contributor

It is set to Not Configured.

Reply
0 Kudos
squevill
Contributor
Contributor

I have finally figured it out.

Two things were wrong  it seems in my configuration:

1. When I switch on the Windows Firewall (required for IPSec), View clients stopped being able to connect.  To make it work again, I had to switch the network interfaces on the security server from "Public newtork" to "Private Network".  I don't know exactly what is in the Public network profile that prevents View from working, all the firewall rules appears to be the same for both profiles, must be something else.  Anyway, now that I have the firewall enabled and working with View (still with IPsec disabled at this time)... I tackled IPsec.

2. With the firewall Private network profile enabled, the security server installation completed successfully but the View console reported the IPSec policy as not being in effect.  After some investigation, I discovered that the "IPSec Policy Agent" service was disabled on both the security and connection servers - must be a default setting in our corporate server build.  After setting the service to "automatic" and restarting the View services on both ends, it all come up ok.

My suggestion to VMware is to enhance the security server installation procedure to verify that all of these pre-requisites are in place and report back on anything that needs to be fixed or even better, remediate them (with admin approval of course).

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

I'm glad you have it working.

If the firewall is incorrectly configured on either the Security Server or the Connection Server, Microsoft IPsec setup will fail.

Thanks for posting the details.

Mark

Reply
0 Kudos