Published: October 7, 2009
Updated: November 18, 2009
Applies To: Windows Server 2008 R2
Use the Event Viewer snap-in on a DirectAccess client to examine Windows events for operational Internet Protocol security (IPsec) and Windows Firewall events, network location detection events, and IPsec negotiation events.
Click Start, type eventvwr.msc, and then press ENTER.
In the console tree of Event Viewer, navigate to the appropriate location.
In the contents pane, double-click a Windows event to view its details.
For troubleshooting DirectAccess problems, view the events in the following locations:
Applications and Service Logs\Microsoft\Windows\Windows Firewall with Advanced Security
Use this event log to view Windows Firewall and connection security (IPsec) operational events, such as changes to network profiles or firewall settings.
Applications and Services Logs\Microsoft\Windows\NCSI\Operational
Use this event log to view network location detection, also known as Inside/Outside detection, and its results.
IPsec events in the Windows Logs\Security event log are configured through audit settings, which are not enabled by default. To enable audit settings and view IPsec audit events for IPsec security negotiations, use Auditpol.exe, a command line tool that modifies audit polices of the local computer to enable or disable the various categories and subcategories of events and then view the events in the Event Viewer snap-in.
To enable audit policies for IPsec security negotiation, run the auditpol /set /subcategory:”IPsec Main Mode”,“IPsec Extended Mode” /success:enable /failure:enable command at an elevated command prompt. Then, view events 4653, 4654 and 4984 in the Windows Logs\Security event log.