Problem with GPO



  • We are routinh through a pfsense machine. Everything works fine. The only thing is that we getting errors when we login with Windows XP clients on our Windows 2008 R2 servers. A couple of time there is no problem with login but after 3 a 4 times the login is very slow. In the Windows XP event log we've got the following error:

    Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine

    Windows cannot bind to ***.local domain. (Local Error). Group Policy processing aborted.

    The Security System could not establish a secured connection with the server ldap/..local/.local@.LOCAL.  No authentication protocol was available.

    The Security System detected an attempted downgrade attack for server ldap/..local/.local@.LOCAL.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
    (0xc000005e)".

    The Security System could not establish a secured connection with the server ldap/..local/.local@.LOCAL.  No authentication protocol was available.

    The Security System detected an attempted downgrade attack for server ldap/..local/.local@.LOCAL.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
    (0xc000005e)".

    The problem only exist when we route over 2 different VLANs (with a different subnet) (User net to server net) With all protocols enabled (via rules setting). When the workstation is in the same vlan there is no problem.

    Does anyone know a solution ?



  • I'm having the same issue (using ipsec though). Looks like this is an UDP Fragmentation issue.



  • Just to keep you updated: In my case, disabling the scrubbing function did the trick.


Locked