Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Thursday, February 6, 2014 10:35 AM
Lab setup: Windows Server 2008RC2 running CA, DC, NDES roles.
Client: Embedded Linux device with strongSwan 5.1.1 and openssl.
I have successfully configured NDES and SCEP, and enrolled a machine certificate on the client.
On the server an IPsec policy is assigned (3DES, SHA1, DH group 2). Firewall is disabled.
IPsec transport mode is chosen and the server/client are on the same net.
Ping from server to client correctly establishes the SA. All good.
Now comes the problem: when the client sends the IKE_SA_INIT message, no response is returned (using wireshark).
On the server the audit event log lists Event 4653:
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 192.168.0.2
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 192.168.0.3
Keying Module Port: 500
Additional Information:
Keying Module Name: IKEv2
Authentication Method: Unknown authentication
Role: Responder
Impersonation State: Not enabled
Main Mode Filter ID: 0
Failure Information:
Failure Point: Local computer
Failure Reason: No policy configured
State: No state
Initiator Cookie: 5ac3b111d55ad243
Responder Cookie: f467fab69613cf7c
The machine certificate looks like (notice the added enhanced key usages server and client auth, which I understand is required):
# openssl x509 -text -inform DER -in /etc/ipsec.d/certs/fccCert.der
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:8a:98:ac:00:00:00:00:00:0c
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA
Validity
Not Before: Feb 3 09:33:56 2014 GMT
Not After : Feb 3 09:33:56 2016 GMT
Subject: C=CH, O=Linux, CN=CPB529-2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
<cut>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
email:lmh@doms.dk
X509v3 Subject Key Identifier:
A2:54:A9:A3:E3:DC:C6:F0:0D:ED:B9:87:37:42:82:6A:62:4D:E6:75
X509v3 Authority Key Identifier:
keyid:DE:17:51:17:28:69:C3:10:E2:00:26:D7:0D:A8:A9:25:A0:E4:CA:3D
X509v3 CRL Distribution Points:
URI:ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:ldap:///CN=LMH-WIN2008R2-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?cACertificate?base?objectClass=certificationAuthority
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0-.%+.....7........Z...&...Y...d.A..m...?..d...
X509v3 Extended Key Usage:
1.3.6.1.4.1.311.20.2.1, TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2, TLS Web Client Authentication
1.3.6.1.4.1.311.21.10:
020..
+.....7...0
..+.......0
..+.......0
..+.......
Signature Algorithm: sha1WithRSAEncryption
<cut>
BEGIN CERTIFICATE
<cut>
END CERTIFICATE
The IKE_SA_INIT request looks like:
No. Time Source Destination Protocol Length Info
89550 504103.645307 192.168.0.3 192.168.0.2 ISAKMP 650 IKE_SA_INIT
Frame 89550: 650 bytes on wire (5200 bits), 650 bytes captured (5200 bits)
Arrival Time: Feb 5, 2014 09:53:52.767787000 Romance Standard Time
Epoch Time: 1391590432.767787000 seconds
[Time delta from previous captured frame: 10.834437000 seconds]
[Time delta from previous displayed frame: 409.652542000 seconds]
[Time since reference or first frame: 504103.645307000 seconds]
Frame Number: 89550
Frame Length: 650 bytes (5200 bits)
Capture Length: 650 bytes (5200 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Doms_00:ab:c7 (00:50:55:00:ab:c7), Dst: CadmusCo_51:94:77 (08:00:27:51:94:77)
Destination: CadmusCo_51:94:77 (08:00:27:51:94:77)
Address: CadmusCo_51:94:77 (08:00:27:51:94:77)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Doms_00:ab:c7 (00:50:55:00:ab:c7)
Address: Doms_00:ab:c7 (00:50:55:00:ab:c7)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.0.3 (192.168.0.3), Dst: 192.168.0.2 (192.168.0.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 636
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xb71b [correct]
[Good: True]
[Bad: False]
Source: 192.168.0.3 (192.168.0.3)
Destination: 192.168.0.2 (192.168.0.2)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 616
Checksum: 0x0043 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 5ac3b111d55ad243
Responder cookie: 0000000000000000
Next payload: Security Association (33)
Version: 2.0
Exchange type: IKE_SA_INIT (34)
Flags: 0x08
.... 1... = Initiator: Initiator
...0 .... = Version: No higher version
..0. .... = Response: Request
Message ID: 0x00000000
Length: 608
Type Payload: Security Association (33)
Next payload: Key Exchange (34)
0... .... = Critical Bit: Not Critical
Payload length: 352
Type Payload: Proposal (2) # 1
Next payload: Proposal (2)
0... .... = Critical Bit: Not Critical
Payload length: 40
Proposal number: 1
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 4
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_3DES (3)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA1 (2)
Type Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Alternate 1024-bit MODP group (2)
Type Payload: Proposal (2) # 2
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 308
Proposal number: 2
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 36
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_3DES (3)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 128
1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
Transform IKE2 Attribute Type: Key-Length (14)
Value: 0080
Key Length: 128
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 192
1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
Transform IKE2 Attribute Type: Key-Length (14)
Value: 00c0
Key Length: 192
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 256
1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
Transform IKE2 Attribute Type: Key-Length (14)
Value: 0100
Key Length: 256
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_MD5_96 (1)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_AES_XCBC_96 (5)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_AES_CMAC_96 (8)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA2_256_128 (12)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA2_384_192 (13)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA2_512_256 (14)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_MD5 (1)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA1 (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_AES128_CBC (4)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA2_384 (6)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA2_512 (7)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_AES128_CMAC6 (8)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Alternate 1024-bit MODP group (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 1536 bit MODP group (5)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 2048 bit MODP group (14)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 3072 bit MODP group (15)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 4096 bit MODP group (16)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 8192 bit MODP group (18)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 256-bit random ECP group (19)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 384-bit random ECP group (20)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 521-bit random ECP group (21)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 1024-bit MODP Group with 160-bit Prime Order Subgroup (22)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 2048-bit MODP Group with 224-bit Prime Order Subgroup (23)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 2048-bit MODP Group with 256-bit Prime Order Subgroup (24)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 192-bit Random ECP Group (25)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 224-bit Random ECP Group (26)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (27)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (28)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (29)
Type Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (30)
Type Payload: Key Exchange (34)
Next payload: Nonce (40)
0... .... = Critical Bit: Not Critical
Payload length: 136
DH Group #: Alternate 1024-bit MODP group (2)
Key Exchange Data: 488bf42e98dcb8a37e86e1a25964ed9b41948c941ad2d296...
Type Payload: Nonce (40)
Next payload: Notify (41)
0... .... = Critical Bit: Not Critical
Payload length: 36
Nonce DATA: 5bfaeebc0a0c9f01cb6a75a8a088429b684fd7d158bec7e8...
Type Payload: Notify (41)
Next payload: Notify (41)
0... .... = Critical Bit: Not Critical
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
Notification DATA: 1575bc35e95f2cb05722320f7a3d5e0db6a7a58d
Type Payload: Notify (41)
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)
Notification DATA: efd4ca3ddcf8776889bbe21344e0116a0cf19784
I guess my configuration is somehow wrong, but can't figure out what is wrong. Any help is greatly appreciated.
Thanks and regards,
Lars
Thursday, February 20, 2014 2:29 PM ✅Answered | 1 vote
Hi Amy,
I got it working after I enabled PFS for the Filter Action. So the issue can be closed.
Regards,
Lars
Friday, February 7, 2014 8:42 AM
Hi Lars,
Here are some related troubleshooting links below for you references:
IPSec Troubleshooting
http://technet.microsoft.com/en-us/library/cc783041(v=WS.10).aspx
Troubleshooting VPN over IPsec
http://technet.microsoft.com/en-us/library/bb794765.aspx
Monitoring Main Mode
http://technet.microsoft.com/en-us/library/cc732099.aspx
Best Regards,
Amy Wang
Tuesday, February 11, 2014 7:41 AM
Hi Lars,
Do you need further assistances on this issue by now?
If these links above couldn't help you solve this issue, I suggest you contact Microsoft Customer Services to get more efficient and professional support on this issue.
How and when to contact Microsoft Customer Service and Support
http://support.microsoft.com/kb/295539
Have a nice day!
Amy Wang
Tuesday, February 11, 2014 9:02 AM
Hi Amy, Thanks for the pointers. I went through it all, but no success. I tried to enable the netsh wfp capture but the log generated does not really give more information than the 4653 event. The oakley log is as I understand more detailed - but not supported on Server 2008. Still stuck at "Main mode negotiation failed" Failure point local computer, failure reason no policy configured. What kind of policy is this message referring to? I disabled the firewall, but added a connection security rule for the specific endpoints and set auth mode to req inbound and outbound using the Root CA certificate. Hope you can help. Thanks and regards, Lars
Wednesday, February 12, 2014 8:02 AM
Hi Lars,
You are very welcome, I will try to figure out the cause of this issue. In the meantime, as I mentioned in my last post, a call to Microsoft Customer Service and Support will be very beneficial to you.
Please capture the IPsec negotiation packets generated from the client side, to confirm if IPsec policy is enabled and configured correctly on the client side.
In addition, please use Windows Live SkyDrive to upload both the normal IPsec packets (generated from server side) and problematic IPsec packets (generated from client side) for further analyzing.
Note: please save those packets as .cap files.
Regards,
Amy
Wednesday, February 12, 2014 9:41 AM
Hi Amy,
Thanks, I have included both the successful and the failing scenario in a .cap file. Also details for the client certificate and server main mode IKE policy settings. I hope you are able to open it:
https://skydrive.live.com/?cid=de92b5cc4916d00e&id=DE92B5CC4916D00E%21442#cid=DE92B5CC4916D00E&id=DE92B5CC4916D00E%21441
Regards,
Lars
Thursday, February 13, 2014 6:50 AM
Hi Lars,
I couldn’t open the link, would you please post out the link again?
Amy
Thursday, February 13, 2014 8:40 AM
Hi Amy,
Please try this:
https://skydrive.live.com/?cid=de92b5cc4916d00e&id=DE92B5CC4916D00E%21442
Regards,
Lars
Thursday, February 13, 2014 8:41 AM
Hi Lars,
I can open the link after I removed “https://” part, though it is a .cab file which we cannot open.
Would you please upload a .cap file?
Thank you!
Amy
Thursday, February 13, 2014 10:43 AM
Hi Amy,
The .cab file is just an archive with a collection of log files.
I managed to solve the main mode neg. failure issue by forcing the client to use IKEv1. IKEv2 seems not supported by Windows Server 2008 in non-ras transport mode...
However there is still an issue:
The following quick mode negotiation fails. This time with the EventID 4654:
An IPsec quick mode negotiation failed.
Local Endpoint:
Network Address: 192.168.0.2
Network Address mask: 0.0.0.0
Port: 0
Tunnel Endpoint: -
Remote Endpoint:
Network Address: 192.168.0.3
Address Mask: 0.0.0.0
Port: 0
Tunnel Endpoint: -
Private Address: 0.0.0.0
Additional Information:
Protocol: 0
Keying Module Name: IKEv1
Virtual Interface Tunnel ID: 0
Traffic Selector ID: 0
Mode: Transport
Role: Responder
Quick Mode Filter ID: 66029
Main Mode SA ID: 144
Failure Information:
State: No state
Message ID: 3573913272
Failure Point: Local computer
Failure Reason: Policy match error
The IPsec settings in the firewall are set to the defaults.
Please find two .cap files (from wireshark). The failing quick mode scenario, and the successfuld scenario (when the server initiates the connection). Use the same skydrive link as before.
Thanks and regards,
Lars
Tuesday, February 18, 2014 10:19 AM
Hi Amy,
Are you able to open the cap files? Any news about this issue?
Thanks and regards,
Lars
https://skydrive.live.com/?cid=de92b5cc4916d00e&id=DE92B5CC4916D00E%21444
1) 4654-quick-mode-failed-policy-match-error.pcap
2) server-to-client-sa-success.pcap
Monday, February 24, 2014 1:52 AM
Hi Lars,
I am so sorry for the delay, I was out of office for the last week.
Glad to hear that this issue has been solved, and thank you very much for sharing the solution!
Please don’t hesitate to let us know if there are any issues in the future.
Regards,
Amy
Thursday, October 4, 2018 10:46 AM
Hi Lars,
Can you please elaborate the PFS for the Filter Action. I am in same situation with exact same symptoms for Main mode authentication failure.