Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. FIX: "0xc0360007 (STATUS_IPSEC_CLEAR_TEXT_DROP)" error when you try to access the internal IP address of a Forefront TMG 2010 server through an IPsec site-to-site network

FIX: "0xc0360007 (STATUS_IPSEC_CLEAR_TEXT_DROP)" error when you try to access the internal IP address of a Forefront TMG 2010 server through an IPsec site-to-site network

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You configure a Microsoft Forefront Threat Management Gateway (TMG) 2010 server as an IPsec site-to-site tunnel endpoint. 
  • You establish the IPsec tunnel, and then clients access resources on both sides of the VPN tunnel. 
  • You try to access the internal IP address of the Forefront TMG 2010 server by using a client on the remote network of the endpoint.
In this scenario, traffic to the internal IP address of the Forefront TMG server is dropped by IPsec. Additionally, the IPsec driver logs the following error for dropped packets:
0xc0360007 (STATUS_IPSEC_CLEAR_TEXT_DROP)

↑ Back to the top

Cause

This issue occurs because the IPsec security context for the locally destined packet is removed before it is evaluated by the incoming transport layer.

↑ Back to the top

Resolution

To resolve this issue, follow these steps:
  1. Install the software update that is described in the following Microsoft Knowledge Base (KB) article:
    2498770 Software Update 1 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
  2. Make sure that the packets are not dropped by running the following command at a command prompt on each Forefront TMG server:
    netsh tmg set global name=DontDropIPSECDetunneledTrafficToLocalhost value=1 persistent
    Note To revert to the default settings, run the following command:
    netsh tmg set global name=DontDropIPSECDetunneledTrafficToLocalhost value=0 persistent

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbqfe, kbfix, kbsurveynew, kbexpertiseinter, kb

↑ Back to the top

Article Info
Article ID : 2502685
Revision : 1
Created on : 3/21/2017
Published on : 2/25/2011
Exists online : False
Views : 150