Windows firewall blocks nearly all traffic after reboot

windows-firewallwindows-server-2008-r2

Sometimes when the systems boot they don't accept any inbound traffic at all and my IPSec rules don't work outbound – it appears that the server is stuck in some kind of initial post boot configuration. This is primarily for 2008 r2 and Windows 7.

I was reading some time ago that there is some kind of default configuration in the windows advanced firewall that blocks all inbound traffic and only allows specific outbound traffic – to the domain controllers, DNS, DHCP if my memory serves – but blocks all other access until the 'real' rules are loaded and applied. It sounds like this is the state my systems are getting stuck in post reboot.

What is the name of this state and how can I go about diagnosing my issue? I lost track of those details long since and I'm having a heck of a time finding them again.

EDIT:

I finally found the proper name for this behavior, the windows firewall boot time filter

EDIT:

This just got stranger. It looks like I can now make inbound connections from non IPSEC enabled systems but that any IPSEC requests are failing. I enabled some auditpol logging and I'm getting the following.

Additional Information:
Keying Module Name: IKEv1
Authentication Method:  Unknown authentication
Role:           Responder
Impersonation State:    Not enabled
Main Mode Filter ID:    0

Failure Information:
Failure Point:      Local computer
Failure Reason:     No policy configured <<< Looks wrong. 

State:          No state
Initiator Cookie:   cec5de8d625d2196
Responder Cookie:   0d40a3b58c477709

I was able to work around this issue temporarily by defining a local IPSEC policy – even the firewall rule work – but I'm not sure why this is the case or what I can do to fix it long term.

Best Answer

The registry changes outlined below have allowed the half dozen or so of my servers that it has been applied to so far boot without issues. While I'm not yet 100% sure that this is a solution - it was about 50/50 if a server would come up cleanly it does appear to have helped tremendously. Half a dozen servers with 3+ reboots each are acting normally.

Name: ChainUrlRetrievalTimeoutMilliseconds
Location: HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
Type: REG_DWORD
Decreasing the amount of time to allow CRL retrieval can significantly improve performance when internet access is poor or non-existent. Setting the value to 200 (milliseconds) may be a reasonable timeout.


Name: ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds
Location: HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
Type: REG_DWORD
Decreasing the amount of time to allow all CRL retrievals can significantly improve performance when internet access is poor or non-existent. Setting the value to 500 (milliseconds) may be a reasonable timeout.

Background, why I think this is a fix

Several servers in our environment were exhibiting problems when rebooting having services come up. These services were mostly related to .NET in one fashion or another. They all came up with 7009 events. Some of the services on our problematic firewall servers also show this event id. Although a 7009 never came up for the firewall or base filtering service a timeout during the loading process - especially since it does sometimes load cleanly - seemed like a likely culprit.

These registry settings came from a technet blog, Configuring Exchange Servers Without Internet Access.

Related Solutions

Windows 7 firewall blocking some features of the app despite custom firewall rules

As Jim B said, use a port based rule instead rather than an application rule,

Also check if there aren't other rules in you firewall settings that would superseed yours. This could be a application rule on deny that work on same port as your program.

You might also want to fire up Wireshark (http://www.wireshark.org/) to see what port are used to initialized the connection.

You can use http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf to be able to filter out packets you don't want.

Windows Filtering Platform blocking packets from workstations on a Domain Controller

I've enabled the Windows Firewall policy to allow traffic on 137 and 138, as those should be allowed - after doing some investigation it doesn't seem like there's anything untoward going on.

As for the other higher ports, I've discovered the applications on the network which are sending the other traffic I mentioned and will look at blocking them at the client-side.

Firstly, there was a lot of traffic coming from UDP port 17500 - this is used by Dropbox to discover other Dropbox clients in the network to perform network sync, thereby eliminating Internet transfer between users within the same network. We have a few staff members who use Dropbox for personal things, hence the network noise from that.

The other, 51515 was coming from Winamp on one machine. I'm yet to discover what Winamp is broadcasting like that for, but I'll post/edit soon if I figure it out.

As for removing the noise from the event log, I'll be using this command:

  auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

How failure auditing got turned on in the first place - I'm not sure!

Best Answer

Related Solutions

Windows 7 firewall blocking some features of the app despite custom firewall rules

Windows Filtering Platform blocking packets from workstations on a Domain Controller

Related Topic