Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Repeating Event ID's 5152 and 5157

Posted on 2011-09-19
10
8,919 Views
Last Modified: 2013-04-04
Hi All,

I am receiving repeating Audit Failures on my laptop every few seconds to few minutes, tens of thousands of entries every few days.

I read that this was related to the Windows firewall and here are some troubleshooting steps I have already tried.

* Uninstalled Symantec Enterprise Security.
* Disabled my wireless network (connected physically though)
* Setup wired connection to use DHCP to insure that my settings weren't in error (was static IP)
* Disabled Windows Firewall

My machine seems to be the only machine on the network generating these errors and would like to have a solution.  Point of note, I installed SpiceWorks on my laptop as a trial a couple weeks ago.  Have since uninstalled and moved the installation to a server.  Not sure if this is related to SpiceWorks at all, but figured I would throw it out there.

Thanks in advance.

Tom
The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		968
	Application Name:	\device\harddiskvolume3\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		255.255.255.255
	Source Port:		67
	Destination Address:	0.0.0.0
	Destination Port:		68
	Protocol:		0

Filter Information:
	Filter Run-Time ID:	355794
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44


-------------------------------------

The Windows Filtering Platform has blocked a packet.

Application Information:
	Process ID:		968
	Application Name:	\device\harddiskvolume3\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		0.0.0.0
	Source Port:		68
	Destination Address:	255.255.255.255
	Destination Port:		67
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	355794
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

Open in new window

0
Comment
Question by:TWFarrington
  • 4
  • 4
10 Comments
 
LVL 9

Expert Comment

by:Lester_Clayton
ID: 36560433
svchost.exe is quite an important application, and it should not be blocked at all.  I would create an allow rule for the svchost.exe application so that it's not blocked at the firewall.

Based on the frequency of the report, as well as the source address and destination address, I'd say that Windows Firewall blocking NETBIOS broadcasts.
0
 

Author Comment

by:TWFarrington
ID: 36560448
Hi Lester,

Thanks for the response.  Help me understand please ... I have disabled the firewall and uninstalled Symantec, why would I still get this message?

Thanks,
Tom
0
 
LVL 9

Expert Comment

by:Lester_Clayton
ID: 36561704
If it's not Firewall, then it looks like it's coming from your audit policies.

Try to run the following commands from the command line:

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure:disable

This will hopefully stop the messages occurring.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 9

Expert Comment

by:Lester_Clayton
ID: 36561717
Sorry I left a space in the second line.

Let's try again

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

You should get a response "The command was successfully executed." when running each line.
0
 

Author Comment

by:TWFarrington
ID: 36582181
Thanks for those commands.  I am not looking to just shut them off, I am trying to identify and resolve what is causing them.  
0
 
LVL 9

Accepted Solution

by:
Lester_Clayton earned 500 total points
ID: 36582486
I've found it :)

Port 67 and 68 are DHCP protocol.  It looks like something else on your network is doing a DHCP request, and because it's a broadcast, your computer will see it too.  Your SVCHOST will drop it, because you cannot reply since you're not running a DHCP Server.

Do you have any other devices on your network other than your router?  Your router wouldn't be doing DHCP requests, since it is probably the DHCP Server, and designed to answer them.  if you do have other items, disconnect them completely and see if the messages stop.
0
 

Author Comment

by:TWFarrington
ID: 36582967
Lester,

Thank you!  I only have one DHCP server on the LAN, however the wireless network has its own (but not interfaced with the network).  We have a VPN, but that uses the DHCP on the server.  

All equipment is static IP with two exceptions, one is the rare event we have a guest which plugs into our network and the other is Dell iDrac on one of the servers.  

We do have a Web filter which is accessed via proxy (as well as inline) to access the internet.

I'm not sure if I should be looking for equipment which would be searching for a DHCP address (which if it get's a lease, I would think any searching would stop), or if I should be looking for a second DHCP server on the network ... or maybe a ip misconfiguration.

Thank you for your help!

Tom
0
 

Author Closing Comment

by:TWFarrington
ID: 36987049
Follow up questions not addressed.
0
 

Expert Comment

by:techgrl89
ID: 39047144
Was this matter ever fully exhausted? I have this same recent influx of hundreds of thousands of 5152 & 5157, on only one of our two domain controllers.

From my research, sifting through event logs and wireshark logs, I have a hunch that a few of these services below are the culprits:

DropBox on port 17500
GoogleDrive
Bonjour
XSan on myriad ports

On the one hand, the packet failures are a success if you view it in terms of a protection mechanism, but I am more interested in pin-pointing root cause to understand exactly what is filling my event logs to the brim. And I am not satisfied with the idea of the audit disable route.

I am eager to hear where this went. Thank you!
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question