Event ID 5461 — IPsec Policy Agent Rule Processing

  • Article

Applies To: Windows Server 2008 R2

The IPsec Policy Agent service receives its rules from local security policy stored in the system registry, and from Group Policy delivered by Active Directory. After receiving new or modified policy settings, IPsec Policy Agent must process each new or modified rule to determine which network traffic to block, allow, or protect by using Internet Protocol security (IPsec). 

Note:   This service provides compatibility with Internet Protocol security (IPsec) policies used in earlier versions of Windows. New deployments of Windows Vista and Windows Server 2008 should not use the policies supported by the IPsec Policy Agent service since those policies support only a subset of the features supported by Windows Firewall with Advanced Security. Instead, new deployments should use policies created by using Windows Firewall with Advanced Security to take full advantage of the additional security and features.

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports successes and failures, both in retrieving policy, and in processing the rules defined in the policy.

Event Details

Product: Windows Operating System
ID: 5461
Source: Microsoft-Windows-Security-Auditing
Version: 6.1
Symbolic Name: SE_AUDITID_ETW_POLICYAGENT_PASTORE_FAILED_LOCAL_POLICY_APPLICATION
Message: PAStore Engine failed to apply local registry storage IPsec policy on the computer.

Policy:%t%t%1
Error Code:%t%t%2

Resolve

Fix local policy issues

Windows logs an error if the local policy storage cannot be read. The error message indicates the cause of the failure by including an error code in the text of the message. To determine the meaning of the code, open a command prompt, and then type net helpmsg errnum, where errnum is the error code displayed in the event message.

Note: For a complete listing of Win32 error messages, see https://go.microsoft.com/fwlink/?LinkId=83027.

Take action appropriate to the error that caused the failure. Possible causes are listed here:

Low memory resources.

If excessive demands are placed on the memory resources of your computer, such as when running more programs than the computer can adequately support, then common operating system functions required to do such tasks as retrieving or processing firewall policy can fail.

To solve this situation perform one or more of the following steps:

  • Stop unneeded programs to free up memory. See the procedure at the end of this list.
  • Restart the computer, and then start fewer programs so that resources are not under an excessive load.
  • If the problem persists, you might need to add more RAM to the computer to support the number of programs that you want to run.

To free up memory on the computer:

  1. Log on to the computer.
  2. Right-click the taskbar, and then click Task Manager.
  3. Click the Applications tab and make sure Status of all tasks is Running. If any tasks have a Status of Not responding, you should consider ending the task by clicking End Task.
  4. Click the Processes tab.
  5. Click Memory and investigate processes that are using a lot of memory.

Registry corruption

If the computer registry is corrupted then the local policy cannot be retrieved. The only supported solution to this condition is to reinstall the operating system. Registry corruption cannot be reliably repaired.

Verify

You can verify that your computer is successfully retrieving and processing Internet Protocl security (IPsec) policies by examing the Event Viewer logs and looking for messages that indicate successful policy processing.

To ensure that your computer is creating the appropriate events as required, see https://go.microsoft.com/fwlink/?linkid=92666.

To verify that policy is being retrieved and processed correctly:

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

  1. Force a Group Policy update or restart the computer. Policy is retrieved and processed when Windows starts. To force a Group Policy update, Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. At the command prompt, type the following command: gpupdate /force.
  2. Examine the Event log for the following event IDs:  5456, 5458, 5460, 5467, 5468, 5471, 5473. The presence of one or more of those event messages when a changed policy is received is an indication that policy is being received and processed correctly.

You can also change a rule (locally or in a Group Policy that applies to the computer), and then examine the policies on the computer to confirm that the changed rule was received and processed correctly. Use the IP Security Policies Microsoft Management Console (MMC) snap-in or the netsh ipsec command-line tool to examine the rules on the local computer. The exact netsh command to use depends on the rule that you change. For more information about the netsh command line tool, see https://go.microsoft.com/fwlink/?linkid=93363.

To see the current rule list in the IPsec Security Policies MMC snap-in:

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

  1. Click Start, then in the Start Search box type mmc, and then click OK.
  2. Click File, and then click Add/Remove Snap-in.
  3. In the Available snap-ins list, click IP Security Policy Management, click Add, click Finish, and then click OK.
  4. Click IP Security Policies on Local Computer to see the list of currently applied rules in the details pane.

IPsec Policy Agent Rule Processing

Windows Firewall with Advanced Security