Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 16/06/2010
Time: 19:47:47
User: N/A
Computer: MIB-SBS2003
Description:
The Internet Authentication Service service terminated with the following error:
Only one usage of each socket address (protocol/network address/port) is normally permitted.
or
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 16/06/2010
Time: 19:47:47
User: N/A
Computer: MIB-SBS2003
Description:
The IPSEC Services service terminated with the following error:
Only one usage of each socket address (protocol/network address/port) is normally permitted.
Especially this last one is very unpleasant! If the IPSEC service fails to start, the server will be running in Block mode and it will block all network connectivity to the server.
This all seems to be caused by a Windows Security Update: MS08-037
Excerpt found on: http://blogs.technet.com/b/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx
The update changes the way the DNS server allocates the UDP source port for DNS queries. On an SBS server by default we set the MaxUserPort value in the registry to 60000 or 65536 depending on the version of SBS. The MaxUserPort value causes the DNS server to pick UDP source ports in the range of 1024 to 60000, or 65536. The MaxUserPort is set on the SBS server by Exchange and ISA server. DNS by default will randomly pick 2500 ports when the service starts up, a port conflict will occur if the DNS server allocates a port that is required by another service and that service will fail once it requests that static UDP port. So far we have seen issues with AUTD, IPSEC, and IAS but there may be other services that will have a conflict.
The ReservedPorts registry key can be used to exclude ports from the pool the DNS server uses. The reservedports registry key is described in 812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
Here is the list of ports that we have seen conflicts with services on the machine.
- 1645-1646 - Used by IAS
- 1701-1701 - Used by L2TP
- 1812-1813 - Used by IAS
- 2883-2883 - Used by AUTD
- 4500-4500 - Used by IPSEC
For now we are suggesting customers be proactive and modify the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ReservedPorts
We suggest you add these port numbers to the current values set in the ReservedPorts registry key. Do not replace the values currently there with these values but simply add these additional values.
