TWFarrington
asked on
Repeating Event ID's 5152 and 5157
Hi All,
I am receiving repeating Audit Failures on my laptop every few seconds to few minutes, tens of thousands of entries every few days.
I read that this was related to the Windows firewall and here are some troubleshooting steps I have already tried.
* Uninstalled Symantec Enterprise Security.
* Disabled my wireless network (connected physically though)
* Setup wired connection to use DHCP to insure that my settings weren't in error (was static IP)
* Disabled Windows Firewall
My machine seems to be the only machine on the network generating these errors and would like to have a solution. Point of note, I installed SpiceWorks on my laptop as a trial a couple weeks ago. Have since uninstalled and moved the installation to a server. Not sure if this is related to SpiceWorks at all, but figured I would throw it out there.
Thanks in advance.
Tom
I am receiving repeating Audit Failures on my laptop every few seconds to few minutes, tens of thousands of entries every few days.
I read that this was related to the Windows firewall and here are some troubleshooting steps I have already tried.
* Uninstalled Symantec Enterprise Security.
* Disabled my wireless network (connected physically though)
* Setup wired connection to use DHCP to insure that my settings weren't in error (was static IP)
* Disabled Windows Firewall
My machine seems to be the only machine on the network generating these errors and would like to have a solution. Point of note, I installed SpiceWorks on my laptop as a trial a couple weeks ago. Have since uninstalled and moved the installation to a server. Not sure if this is related to SpiceWorks at all, but figured I would throw it out there.
Thanks in advance.
Tom
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 968
Application Name: \device\harddiskvolume3\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 255.255.255.255
Source Port: 67
Destination Address: 0.0.0.0
Destination Port: 68
Protocol: 0
Filter Information:
Filter Run-Time ID: 355794
Layer Name: Receive/Accept
Layer Run-Time ID: 44
-------------------------------------
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 968
Application Name: \device\harddiskvolume3\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 355794
Layer Name: Receive/Accept
Layer Run-Time ID: 44
ASKER
Hi Lester,
Thanks for the response. Help me understand please ... I have disabled the firewall and uninstalled Symantec, why would I still get this message?
Thanks,
Tom
Thanks for the response. Help me understand please ... I have disabled the firewall and uninstalled Symantec, why would I still get this message?
Thanks,
Tom
If it's not Firewall, then it looks like it's coming from your audit policies.
Try to run the following commands from the command line:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure:disable
This will hopefully stop the messages occurring.
Try to run the following commands from the command line:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure:disable
This will hopefully stop the messages occurring.
Sorry I left a space in the second line.
Let's try again
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
You should get a response "The command was successfully executed." when running each line.
Let's try again
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
You should get a response "The command was successfully executed." when running each line.
ASKER
Thanks for those commands. I am not looking to just shut them off, I am trying to identify and resolve what is causing them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Lester,
Thank you! I only have one DHCP server on the LAN, however the wireless network has its own (but not interfaced with the network). We have a VPN, but that uses the DHCP on the server.
All equipment is static IP with two exceptions, one is the rare event we have a guest which plugs into our network and the other is Dell iDrac on one of the servers.
We do have a Web filter which is accessed via proxy (as well as inline) to access the internet.
I'm not sure if I should be looking for equipment which would be searching for a DHCP address (which if it get's a lease, I would think any searching would stop), or if I should be looking for a second DHCP server on the network ... or maybe a ip misconfiguration.
Thank you for your help!
Tom
Thank you! I only have one DHCP server on the LAN, however the wireless network has its own (but not interfaced with the network). We have a VPN, but that uses the DHCP on the server.
All equipment is static IP with two exceptions, one is the rare event we have a guest which plugs into our network and the other is Dell iDrac on one of the servers.
We do have a Web filter which is accessed via proxy (as well as inline) to access the internet.
I'm not sure if I should be looking for equipment which would be searching for a DHCP address (which if it get's a lease, I would think any searching would stop), or if I should be looking for a second DHCP server on the network ... or maybe a ip misconfiguration.
Thank you for your help!
Tom
ASKER
Follow up questions not addressed.
Was this matter ever fully exhausted? I have this same recent influx of hundreds of thousands of 5152 & 5157, on only one of our two domain controllers.
From my research, sifting through event logs and wireshark logs, I have a hunch that a few of these services below are the culprits:
DropBox on port 17500
GoogleDrive
Bonjour
XSan on myriad ports
On the one hand, the packet failures are a success if you view it in terms of a protection mechanism, but I am more interested in pin-pointing root cause to understand exactly what is filling my event logs to the brim. And I am not satisfied with the idea of the audit disable route.
I am eager to hear where this went. Thank you!
From my research, sifting through event logs and wireshark logs, I have a hunch that a few of these services below are the culprits:
DropBox on port 17500
GoogleDrive
Bonjour
XSan on myriad ports
On the one hand, the packet failures are a success if you view it in terms of a protection mechanism, but I am more interested in pin-pointing root cause to understand exactly what is filling my event logs to the brim. And I am not satisfied with the idea of the audit disable route.
I am eager to hear where this went. Thank you!
Based on the frequency of the report, as well as the source address and destination address, I'd say that Windows Firewall blocking NETBIOS broadcasts.