Problem with GPO
-
We are routinh through a pfsense machine. Everything works fine. The only thing is that we getting errors when we login with Windows XP clients on our Windows 2008 R2 servers. A couple of time there is no problem with login but after 3 a 4 times the login is very slow. In the Windows XP event log we've got the following error:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine
Windows cannot bind to ***.local domain. (Local Error). Group Policy processing aborted.
The Security System could not establish a secured connection with the server ldap/..local/.local@.LOCAL. No authentication protocol was available.
The Security System detected an attempted downgrade attack for server ldap/..local/.local@.LOCAL. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".The Security System could not establish a secured connection with the server ldap/..local/.local@.LOCAL. No authentication protocol was available.
The Security System detected an attempted downgrade attack for server ldap/..local/.local@.LOCAL. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".The problem only exist when we route over 2 different VLANs (with a different subnet) (User net to server net) With all protocols enabled (via rules setting). When the workstation is in the same vlan there is no problem.
Does anyone know a solution ?
-
I'm having the same issue (using ipsec though). Looks like this is an UDP Fragmentation issue.
-
Just to keep you updated: In my case, disabling the scrubbing function did the trick.