Event ID 5480 — IPsec Policy Agent Service Runtime

Applies To: Windows Server 2008

The IPsec Policy Agent Service applies IPsec policy and rule changes to the current operating state of the IPsec filtering software.

Note: The IPsec Policy Agent service provides compatibility with Internet Protocol security (IPsec) policies created by using Group Policy editing tools on computers that are running earlier versions of Windows. New deployments of Windows Vista and Windows Server 2008 should not use the policies supported by the IPsec Policy Agent service since those policies support only a subset of the features supported by Windows Firewall with Advanced Security. Instead, new deployments should use policies created by using Windows Firewall with Advanced Security to take full advantage of the additional security and features.

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports when the service cannot perform its required tasks, such as properly processing filters, or cannot protect traffic sent or received by one or more of the network adapters attached to the computer.

Event Details

Product: Windows Operating System
ID: 5480
Source: Microsoft-Windows-Security-Auditing
Version: 6.0
Symbolic Name: SE_AUDITID_ETW_POLICYAGENT_IPSECSVC_INTERFACE_LIST_INCOMPLETE
Message: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

Resolve

Review IP Security Monitor and restart computer

In specific situations when memory resources are extremely low, the IPsec Policy Agent service cannot function correctly. Because of the low memory situation, IPsec was not able to retrieve the entire list of network adapters connected to your computer.  The network adapaters at the end of the list might not be protected.

You can use the IP Security Monitor to see which network adapters are not protected, but you cannot resolve the problem by using that program. To recover from this situation without compromising security, you must restart the computer. You cannot just free up memory by closing programs, and you cannot just restart the service. After the computer restarts, consider running fewer applications on the computer to place less of a load on memory resources.

If the problem occurs frequently, you might need to add memory to the computer in order to avoid the low resources situation.

To examine memory usage on the computer:

  1. Log on to the computer.
  2. Right-click the taskbar, and then click Task Manager.
  3. Click the Applications tab and make sure Status of all tasks is Running. If any tasks have a Status of Not responding, you should consider ending the task by clicking End Task.
  4. Click the Processes tab.
  5. Click Memory and investigate processes that are using a lot of memory.

Verify

You can verify that the IPsec Policy Agent service is running by using the Services Microsoft Management Console (MMC) snap-in or the net start command-line tool.

To verify that the IPsec Policy Agent service is running:

Check the status by using the Services MMC snap-in

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

  1. Click Start, type services.msc in the Start Search box, and then press ENTER.
  2. In the Services MMC snap-in, find IPsec Policy Agent, and confirm that Started appears in the Status column.

Check the status by using the net start command-line tool

At a command prompt, type net start, and then verify that IPsec Policy Agent is listed as one of the services currently running on the computer.

IPsec Policy Agent Service Runtime

Windows Firewall with Advanced Security