FIX: An incorrect value is used for IPsec Main Mode key lifetime in Threat Management Gateway 2010

View products that this article applies to.

Symptoms

An IPSec site-to-site connection to a third-party remote IPSec tunnel endpoint fails and an incorrect key lifetime value is used for the Internet Protocol Security (IPsec) Main Mode in Microsoft Forefront Threat Management Gateway (TMG) 2010.

↑ Back to the top

Cause

TMG uses a hardcoded value for IPsec Main Mode lifetime setting of an IPSec Security Association. This problem occurs because TMG does not correctly handle the value that you enter in the Authenticate and generate a new key every xxx seconds setting for Main Mode (Phase I).

Although you can configure a custom value for the Authenticate and generate a new key every xxx seconds setting, TMG ignores this setting and uses a value of 7200 instead. Therefore, IPSec tunnel mode connections may fail.

↑ Back to the top

Resolution

To resolve this problem, install Rollup 5 for Forefront Threat Management Gateway 2010 Service Pack 2.

↑ Back to the top

Workaround

To work around this problem, change the configuration of the remote tunnel endpoint to match the value of 7200 seconds for Main Mode on the TMG server.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top

Applies to:

↑ Back to the top

Keywords: kbnotautohotfix, kbqfe, kbfix, kbexpertiseinter, kbbug, kbsurveynew, kb

↑ Back to the top

Article Info

Article ID	:	2932469
Revision	:	1
Created on	:	1/7/2017
Published on	:	6/17/2015
Exists online	:	False
Views	:	300

Microsoft KB Archive Search

FIX: An incorrect value is used for IPsec Main Mode key lifetime in Threat Management Gateway 2010

Symptoms

Cause

Resolution

Workaround

Status

References

Applies to: