troubleshooting Question
Multiple audit failure events 5152 and 5157 recently flooding event log.
asked on
My SBS 2008 server security event log is showing about 10 audit failure pairs per second - events 5152 and 5157. One pair of the log entries is shown at the bottom of this post. I don't see any external symptoms, but I expect that there is an undue load on the server and a possible security gap. I don't think it is a firewall problem because I don't think there should be traffic between the server and this external IP address. This is a somewhat recent phenomenon. What is happening and how do I get rid of it without turning off auditing?
Comcast is providing both ISP and VOIP services through separate channels. The Internet access comes through a router and a Dell PC2824 switch to the server and the rest of the network. The Comcast VOIP is fairly new and comes through their box and the same PC2824 switch. The PC2824 is configured to keep the data on the default VLAN 1 and the voice on VLAN 20. The VOIP phones and user computer share Ethernet cables to the switch. The VOIP phones are configured to keep to VLAN 20 while letting VLAN 1 and untagged packets pass through. The user computers and SBS2008 server do not know about the VLAN usage. The port for the SBS server is forbidden for VLAN 20 packets.
The log entries show svchost.exe as process ID 532 which relates to the following services: Windows Audio, DHCP client, Windows Event Log, and TCP/IP NETBIOS Helper.
50.143.170.64 is unknown and owned by Comcast. It is not the public IP for the network. It may be related to the VOIP service. 192.168.11.2 is the local IP address for the SBS2008 server. 192.168.11.1 is the gateway. I don't understand how a packet could have the server as a source and still be inbound.
Thanks,
Joe
================ Event Log pairs ================
Log Name: Security
Source: Microsoft-Windows-Security
Date: 10/11/2016 9:29:12 AM
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 532
Application Name: \device\harddiskvolume1\wi
Network Information:
Direction: Inbound
Source Address: 192.168.11.2
Source Port: 0
Destination Address: 50.143.170.64
Destination Port: 0
Protocol: 47
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
--------------------- and -------------------------
Log Name: Security
Source: Microsoft-Windows-Security
Date: 10/11/2016 9:29:12 AM
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SBS2008.domain.local
Description:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 532
Application Name: \device\harddiskvolume1\wi
Network Information:
Direction: Inbound
Source Address: 192.168.11.2
Source Port: 0
Destination Address: 50.143.170.64
Destination Port: 0
Protocol: 0
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
and
Log Name: Security
Source: Microsoft-Windows-Security
Date: 10/11/2016 9:29:12 AM
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 532
Application Name: \device\harddiskvolume1\wi
Network Information:
Direction: Inbound
Source Address: 192.168.11.2
Source Port: 0
Destination Address: 50.143.170.64
Destination Port: 0
Protocol: 47
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
==========================
Comcast is providing both ISP and VOIP services through separate channels. The Internet access comes through a router and a Dell PC2824 switch to the server and the rest of the network. The Comcast VOIP is fairly new and comes through their box and the same PC2824 switch. The PC2824 is configured to keep the data on the default VLAN 1 and the voice on VLAN 20. The VOIP phones and user computer share Ethernet cables to the switch. The VOIP phones are configured to keep to VLAN 20 while letting VLAN 1 and untagged packets pass through. The user computers and SBS2008 server do not know about the VLAN usage. The port for the SBS server is forbidden for VLAN 20 packets.
The log entries show svchost.exe as process ID 532 which relates to the following services: Windows Audio, DHCP client, Windows Event Log, and TCP/IP NETBIOS Helper.
50.143.170.64 is unknown and owned by Comcast. It is not the public IP for the network. It may be related to the VOIP service. 192.168.11.2 is the local IP address for the SBS2008 server. 192.168.11.1 is the gateway. I don't understand how a packet could have the server as a source and still be inbound.
Thanks,
Joe
================ Event Log pairs ================
Log Name: Security
Source: Microsoft-Windows-Security
Date: 10/11/2016 9:29:12 AM
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 532
Application Name: \device\harddiskvolume1\wi
Network Information:
Direction: Inbound
Source Address: 192.168.11.2
Source Port: 0
Destination Address: 50.143.170.64
Destination Port: 0
Protocol: 47
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
--------------------- and -------------------------
Log Name: Security
Source: Microsoft-Windows-Security
Date: 10/11/2016 9:29:12 AM
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SBS2008.domain.local
Description:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 532
Application Name: \device\harddiskvolume1\wi
Network Information:
Direction: Inbound
Source Address: 192.168.11.2
Source Port: 0
Destination Address: 50.143.170.64
Destination Port: 0
Protocol: 0
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
and
Log Name: Security
Source: Microsoft-Windows-Security
Date: 10/11/2016 9:29:12 AM
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 532
Application Name: \device\harddiskvolume1\wi
Network Information:
Direction: Inbound
Source Address: 192.168.11.2
Source Port: 0
Destination Address: 50.143.170.64
Destination Port: 0
Protocol: 47
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
==========================
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 20 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.