• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 933
  • Last Modified:

Failure Audit 861 Cisco Clean Access Agent

Event Type:      Failure Audit
Event Source:      Security
Event Category:      (5)
Event ID:      861
Date:            8/12/2007
Time:            3:45:11 PM
User:            domain\username
Computer:      HOSTNAME
Description:
The description for Event ID ( 861 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: -, C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe, 400, Z887453, US1, No, No, IPv4, UDP, 1410, No, No.


I'm running into a Failure Audit issue on an XP pro workstation.  Not sure what is going on but it references CCCAgent which is the new Cisco Clean Access Agent that the corporate network requires now for accessing the network.  This failure audit appears approx every 5 seconds and the only difference is UDP grows by one every time.

Every once in a while it will throw out this success audit:

Event Type:      Success Audit
Event Source:      Security
Event Category:      (4)
Event ID:      576
Date:            8/12/2007
Time:            3:44:53 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      HOSTNAME
Description:
The description for Event ID ( 576 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: NETWORK SERVICE, NT AUTHORITY, (0x0,0x3E4), SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege.
0
jotetterton
Asked:
jotetterton
  • 2
1 Solution
 
TechM0nsterCommented:
Hi,

This is a problem due to CSA, or clean access is it's called, running in parallel to your windows firewall. Some people would recommend turning off the windows firewall to get rid of this error message, but I wouldn't. This notification is appearing in the security log because "Audit Process Tracking - Failure" is enabled at the domain level (since you're part of the domain, you get the domain policy now).

If you are not part of the domain, you can change this policy setting by going to Start > Run > type gpedit.msc and hit Enter. From there go to Computer Configuration, Windows Settings, Security Settings, Local Policies, and select Audit Policy to change the settings.

In any case, the first event log you indicated above is telling you about attempted access at a specific port - take it up to the IT Department, perhaps they have a corporate application that your windows firewall is blocking?

Tech
0
 
jotettertonAuthor Commented:
TM,

I did some research about this on google and here and tried disabling the firewall and the events persisted.  Any more ideas?  I don't need to reboot after disable the firewall do I?  There is also no third party firewall software on the pc.

Jason
0
 
TechM0nsterCommented:
Hi,

I did some research and apparently the firewall service still works after disabling the firewall. Go to start, run, type services.msc and look for the windows firewall service and internet connection sharing. Set them both to disabled after you stop them both.

Did you try modifying group policy as stated above as well?

Tech
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now