Troubleshooting IPsec Communications
Original instructions
About us
Debugging Connections
Debug the IPsec connections:
Step
Action
1
Type MMC in the Run menu to start the Microsoft Management Console.
2
Select Add/Remove Snap-in from the File menu.
3
Add these snap-ins:
  • IP Security Monitor: View the details of the active security associations.
  • Windows Firewall with Advanced Security on Local Computer: View these items:
    • Connection Security Rules: This rule was created by the script.
    • Properties: Right-click to view the global firewall settings.
NOTE: You can change many settings that are configured by the script here. However, use the netsh commands to change some settings.
Facilitate IPsec Communications
Use these solutions to facilitate communications when IPsec is enabled:
Behaviour
Reason
Solution
There is no communication with the BMENOC0301/11 when IPsec is enabled on the Windows 7 or Windows 10 PC.
The IPsec policy agent is not running on the PC.
Configure IPsec to start automatically on the PC.
IPsec is not enabled on the BMENOC0301/11.
Enable IPsec on the Security tab of the BMENOC0301/11 DTM.
IPsec is not configured properly in Windows.
Confirm that the parameters in the Windows configuration match those in the IPsec implementation:
  • Double-check the pre-shared key.
  • Double-check the IP address of the BMENOC0301/11 in the DTM.
  • Disable Perfect Forward Secrecy for both communication endpoints in Windows.
Control Expert cannot connect to the BMENOC0301/11 via Ethernet.
IPsec is not enabled on both the BMENOC0301/11 and the Windows PC.
Verify that the DTM configuration and the Windows Local Security Policy are enabled for IPsec.
IPsec is not configured properly in Windows.
Confirm that the parameters in the Windows configuration match those in the IPsec implementation:
  • Double-check the pre-shared key.
  • Double-check the IP address of the BMENOC0301/11 in the DTM.
  • Disable Perfect Forward Secrecy for both communication endpoints in Windows.
The power to the BMENOC0301/11 was recently cycled.
Choose a solution:
  • Wait 5 minutes for the Windows security associations to timeout.
  • Unassign then reassign the local security policy in Windows to force the security associations to be reset.
Firmware update tool is not able to connect to the BMENOC0301/11 via Ethernet.
IPsec is not enabled on both the BMENOC0301/11 and the Windows PC.
Verify that the DTM configuration and the Windows Local Security Policy are enabled for IPsec.
IPsec is not configured properly in Windows.
Confirm that the parameters in the Windows configuration match those in the IPsec implementation:
  • Double-check the pre-shared key.
  • Double-check the IP address of the BMENOC0301/11 in the DTM.
  • Disable Perfect Forward Secrecy for both communication endpoints in Windows.
The power to the BMENOC0301/11 was recently cycled.
Choose a solution:
  • Wait 5 minutes for the Windows security associations to timeout.
  • Unassign then reassign the local security policy in Windows to force the security associations to be reset.
The IKE and IPsec ports may be blocked by a firewall or another program associated with antivirus applications.
Verify that the IKE port (UDP 500), IPsec Authentication Header port (51), and ESP port (501) are open on any firewall between the PC application and the PAC, including the firewalls associated with antivirus applications (like McAfee or Symantec).
Configure the Service to Start Automatically
The IPsec policy agent does not run if you see this message: "The service cannot be started ...." In that case, configure the service to start automatically:
Step
Action
1
In Windows 7 or Windows 10, expand (+) Administrative Tools.
2
Double-click Services to access the local services.
3
Double-click IPsec Policy Agent to open its properties.
4
Select the General tab.
5
In the Startup type pull-down menu, scroll to Automatic.
6
In the Service status, press Start.
NOTE: When Start is greyed out, the service is already running.
7
Press OK to apply the changes and close the window.
NOTE: When you enable IPsec, the DTM automatically disables the backplane Ethernet port on the BMENOC0301/11. This isolates the IPsec network (control room network) from the device network.