Tuesday, October 20, 2009

Replaced Router and recieved LsaSrv error 40960 and 40961

We replaced a CISCO router out at remote branch for one of our clients. After doing this network connectivity was there however certain types of traffic were not getting through, kerberos authentication being one of them. The windows boxes on the network were receiving the following LsaSrv errors:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 15/10/2009
Time: 12:58:53 PM
User: N/A
Computer: XP1402334
Description:
The Security System detected an attempted downgrade attack for server cifs/domaincontroller.domain.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".



Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 15/10/2009
Time: 12:58:53 PM
User: N/A
Computer: XP1402334
Description:
The Security System could not establish a secured connection with the server cifs/domaincontroller.domain.local. No authentication protocol was available.



My colleague Jason resolved the problem by enabling ip proxy-arp on the VLAN 1 interface on the new router. Usually under Cisco best practices you need to disable ip proxy-arp. Here was the config that was causing the errors:

!
Interface vlan 1
ip address X.X.X.X 255.255.255.0
no ip proxy-arp
no ip redirects
no ip unreachables
!

To enable IP proxy-arp on VLAN1 use the following commands:
!
Interface vlan 1
ip proxy-arp
!

You will need to be in enable, conf t mode on the Cisco router.

For more information on proxy-arp see:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

2 comments: