jotetterton
asked on
Failure Audit 861 Cisco Clean Access Agent
Event Type: Failure Audit
Event Source: Security
Event Category: (5)
Event ID: 861
Date: 8/12/2007
Time: 3:45:11 PM
User: domain\username
Computer: HOSTNAME
Description:
The description for Event ID ( 861 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: -, C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe, 400, Z887453, US1, No, No, IPv4, UDP, 1410, No, No.
I'm running into a Failure Audit issue on an XP pro workstation. Not sure what is going on but it references CCCAgent which is the new Cisco Clean Access Agent that the corporate network requires now for accessing the network. This failure audit appears approx every 5 seconds and the only difference is UDP grows by one every time.
Every once in a while it will throw out this success audit:
Event Type: Success Audit
Event Source: Security
Event Category: (4)
Event ID: 576
Date: 8/12/2007
Time: 3:44:53 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: HOSTNAME
Description:
The description for Event ID ( 576 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: NETWORK SERVICE, NT AUTHORITY, (0x0,0x3E4), SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege.
Event Source: Security
Event Category: (5)
Event ID: 861
Date: 8/12/2007
Time: 3:45:11 PM
User: domain\username
Computer: HOSTNAME
Description:
The description for Event ID ( 861 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: -, C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe, 400, Z887453, US1, No, No, IPv4, UDP, 1410, No, No.
I'm running into a Failure Audit issue on an XP pro workstation. Not sure what is going on but it references CCCAgent which is the new Cisco Clean Access Agent that the corporate network requires now for accessing the network. This failure audit appears approx every 5 seconds and the only difference is UDP grows by one every time.
Every once in a while it will throw out this success audit:
Event Type: Success Audit
Event Source: Security
Event Category: (4)
Event ID: 576
Date: 8/12/2007
Time: 3:44:53 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: HOSTNAME
Description:
The description for Event ID ( 576 ) in Source ( Security ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: NETWORK SERVICE, NT AUTHORITY, (0x0,0x3E4), SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege.
ASKER
TM,
I did some research about this on google and here and tried disabling the firewall and the events persisted. Any more ideas? I don't need to reboot after disable the firewall do I? There is also no third party firewall software on the pc.
Jason
I did some research about this on google and here and tried disabling the firewall and the events persisted. Any more ideas? I don't need to reboot after disable the firewall do I? There is also no third party firewall software on the pc.
Jason
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is a problem due to CSA, or clean access is it's called, running in parallel to your windows firewall. Some people would recommend turning off the windows firewall to get rid of this error message, but I wouldn't. This notification is appearing in the security log because "Audit Process Tracking - Failure" is enabled at the domain level (since you're part of the domain, you get the domain policy now).
If you are not part of the domain, you can change this policy setting by going to Start > Run > type gpedit.msc and hit Enter. From there go to Computer Configuration, Windows Settings, Security Settings, Local Policies, and select Audit Policy to change the settings.
In any case, the first event log you indicated above is telling you about attempted access at a specific port - take it up to the IT Department, perhaps they have a corporate application that your windows firewall is blocking?
Tech