troubleshooting Question

Multiple audit failure events 5152 and 5157 recently flooding event log.

Avatar of JoeM21
JoeM21Flag for United States of America asked on
SBSWindows Server 2008NetworkingVoice Over IPDell
20 Comments1 Solution10722 ViewsLast Modified:
My SBS 2008 server security event log is showing about 10 audit failure pairs per second - events 5152 and 5157. One pair of the log entries is shown at the bottom of this post. I don't see any external symptoms, but I expect that there is an undue load on the server and a possible security gap. I don't think it is a firewall problem because I don't think there should be traffic between the server and this external IP address. This is a somewhat recent phenomenon. What is happening and how do I get rid of it without turning off auditing?

Comcast is providing both ISP and VOIP services through separate channels. The Internet access comes through a router and a Dell PC2824 switch to the server and the rest of the network. The Comcast VOIP is fairly new and comes through their box and the same PC2824 switch. The PC2824 is configured to keep the data on the default VLAN 1 and the voice on VLAN 20. The VOIP phones and user computer share Ethernet cables to the switch. The VOIP phones are configured to keep to VLAN 20 while letting VLAN 1 and untagged packets pass through. The user computers and SBS2008 server do not know about the VLAN usage. The port for the SBS server is forbidden for VLAN 20 packets.

The log entries show svchost.exe as process ID 532 which relates to the following services: Windows Audio, DHCP client, Windows Event Log, and TCP/IP NETBIOS Helper.

50.143.170.64 is unknown and owned by Comcast. It is not the public IP for the network. It may be related to the VOIP service. 192.168.11.2 is the local IP address for the SBS2008 server. 192.168.11.1 is the gateway. I don't understand how a packet could have the server as a source and still be inbound.

Thanks,

Joe

================ Event Log pairs ================

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/11/2016 9:29:12 AM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            532
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            192.168.11.2
      Source Port:            0
      Destination Address:      50.143.170.64
      Destination Port:            0
      Protocol:            47

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

--------------------- and -------------------------

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/11/2016 9:29:12 AM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SBS2008.domain.local
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
      Process ID:            532
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            192.168.11.2
      Source Port:            0
      Destination Address:      50.143.170.64
      Destination Port:            0
      Protocol:            0

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

and

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/11/2016 9:29:12 AM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            532
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            192.168.11.2
      Source Port:            0
      Destination Address:      50.143.170.64
      Destination Port:            0
      Protocol:            47

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

===========================================================
ASKER CERTIFIED SOLUTION
Davis McCarn
Owner

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 20 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 20 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros