Share via


Event ID 5474 — IPsec Policy Agent Rule Processing

Applies To: Windows Server 2008 R2

The IPsec Policy Agent service receives its rules from local security policy stored in the system registry, and from Group Policy delivered by Active Directory. After receiving new or modified policy settings, IPsec Policy Agent must process each new or modified rule to determine which network traffic to block, allow, or protect by using Internet Protocol security (IPsec). 

Note:   This service provides compatibility with Internet Protocol security (IPsec) policies used in earlier versions of Windows. New deployments of Windows Vista and Windows Server 2008 should not use the policies supported by the IPsec Policy Agent service since those policies support only a subset of the features supported by Windows Firewall with Advanced Security. Instead, new deployments should use policies created by using Windows Firewall with Advanced Security to take full advantage of the additional security and features.

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports successes and failures, both in retrieving policy, and in processing the rules defined in the policy.

Event Details

Product: Windows Operating System
ID: 5474
Source: Microsoft-Windows-Security-Auditing
Version: 6.1
Symbolic Name: SE_AUDITID_ETW_POLICYAGENT_PASTORE_LOAD_DS_POLICY_FAIL
Message: PAStore Engine failed to load directory storage IPsec policy on the computer.

Policy:%t%t%1
Error Code:%t%t%2

Resolve

Check the local computer connection to a domain controller

This error condition indicates that the Group Policy client is not able to find a domain controller for its domain. If the local computer cannot successfully communicate with a domain controller, then it cannot retrieve updates to its Group Policy settings, including any changes to Internet Policy security (IPsec) policy. If you suspect the communications problem was temporary, then follow the procedure in the "Manually retrieve the Group Policy" section to see if Group Policy can now be accessed. If the Group Policy cannot be manually retrieved, then you will need to troubleshoot Group Policy.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Manually retrieve the Group Policy

To attempt to manually retrieve Group Policy from the domain controller:

  1. Start an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. At the command prompt, type the command: gpupdate /force

If the command succeeds, then the computer is communicating with the domain controller and is receiving and processing Group Policy updates correctly.

Troubleshoot Group Policy

If the Group Policy update fails, it confirms your computer cannot communicate with your domain controller to receive and process updates to Group Policy and you need to investigate the source of that particular failure by using Group Policy logs, and other connectivity tests such as pinging the domain controllers. For more information about troubleshooting Group Policy, see the following:

Verify

You can verify that your computer is successfully retrieving and processing Internet Protocl security (IPsec) policies by examing the Event Viewer logs and looking for messages that indicate successful policy processing.

To ensure that your computer is creating the appropriate events as required, see https://go.microsoft.com/fwlink/?linkid=92666.

To verify that policy is being retrieved and processed correctly:

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

  1. Force a Group Policy update or restart the computer. Policy is retrieved and processed when Windows starts. To force a Group Policy update, Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. At the command prompt, type the following command: gpupdate /force.
  2. Examine the Event log for the following event IDs:  5456, 5458, 5460, 5467, 5468, 5471, 5473. The presence of one or more of those event messages when a changed policy is received is an indication that policy is being received and processed correctly.

You can also change a rule (locally or in a Group Policy that applies to the computer), and then examine the policies on the computer to confirm that the changed rule was received and processed correctly. Use the IP Security Policies Microsoft Management Console (MMC) snap-in or the netsh ipsec command-line tool to examine the rules on the local computer. The exact netsh command to use depends on the rule that you change. For more information about the netsh command line tool, see https://go.microsoft.com/fwlink/?linkid=93363.

To see the current rule list in the IPsec Security Policies MMC snap-in:

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

  1. Click Start, then in the Start Search box type mmc, and then click OK.
  2. Click File, and then click Add/Remove Snap-in.
  3. In the Available snap-ins list, click IP Security Policy Management, click Add, click Finish, and then click OK.
  4. Click IP Security Policies on Local Computer to see the list of currently applied rules in the details pane.

IPsec Policy Agent Rule Processing

Windows Firewall with Advanced Security