none
Loads of "Filtering Platform Packet Drop" Event 5152 with Firewall, configured to allow all

    Question

  • Hi

    On our Windows Server 2008 R2 I have in the eventlog many packet drops with event 5152, Category "Filtering Platform Packet Drop", but I have everything allowed in the firewall. Means:

    Inbound/outboung allow, additionally in the advanced configuration I generated another inbound rule, where I allow EVERYTHING (any programs, any protocols, any ports, any local IPs, any remote IPs, ...) and same with an outbound rule.

    So I ask myself, what exactely is still blocked and why? And how can I make sure, that nothing is beeing blocked?

    -> I want to have nothing beeing blocked on that server, as I do firewalling differently.

     

    Thank yu very muchand kindregards

    David

    Tuesday, November 08, 2011 1:53 PM

All replies

  • If you are only using Windows Firewall, you can disable it via the advFirewall snap-in (WF.msc).

    You can use "NetSh.exe WFP Show State" to show you the list of filters on the machine.   In the event, you should see the filterId for the filter that caused the drop.

       Filter Information:
       Filter Run-Time ID: 717219
       Layer Name: Transport
       Layer Run-Time ID: 13

    You can correlate this with the state dump you performed to see the culprit of the drop, who owns the filter, etc...

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, November 08, 2011 5:10 PM
    Moderator
  • Hi

    Thank you for your answer but somehow I don't see, what you mean: Do you mean to disable the firewall or disable the drops with the help of the advFirewall snap-in (in this snap-in I allowed everything and created the new rules, which should not block anything anymore)...

    The output of the command "NetSh.exe WFP Show State" is an XML-file, which I do not really know, how to read :-( You can find the file at the following place (until 14th of November 2011):

      * http://www.file2send.de/download/KLS6DJpClmQgFODAkBfnA-KUOULPK_Sx5Kg2uZELXE7bYZL1nLjpsp8-ug..K

    What would really interest me is, why can I have drops in a firewall, which is configured to allow everything?

     

    Thank you in advance

    David

    Wednesday, November 09, 2011 10:50 AM
  • can you post output from the event like I did above on the machine where you performed the state dump.

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, November 10, 2011 8:06 AM
    Moderator
  • Hi, than you for your reply! I send you the whole event information. Thank you for your effort:

    -----------------------------------------------------------------------

    The Windows Filtering Platform has blocked a packet.

    Application Information:
        Process ID:        0
        Application Name:    -

    Network Information:
        Direction:        Inbound
        Source Address:        192.168.1.101
        Source Port:        1036
        Destination Address:    255.255.255.255
        Destination Port:        1947
        Protocol:        17

    Filter Information:
        Filter Run-Time ID:    72655
        Layer Name:        Transport
        Layer Run-Time ID:    13

    -----------------------------------------------------------------------

    Kind regards

    David

    Thursday, November 10, 2011 8:38 AM
  • the event and state dump don't match up ( is it possible or rebooted or restarted BFE or MPSSvc from when you gave me the state dump and when you gave me the event?)

    Any how, if you notepad the xml file and search for "<filters numItems=", you will see a list of filters still on the machine.  I have a suspicion that the drop is being caused by the port scanning prevention filter.  Rather than allow everything in the firewall, why not just turn the firewall off? ( NetSh.exe advfirewall set allprofiles state off )  While it is not recommended to run without a firewall, you are essentially doing just that by allowing all traffic.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, November 10, 2011 11:21 PM
    Moderator
  • Hi

    Thank you for this hint. As next I thought, I could then deactivate the firewall service, if it is switched off anyway. But then I suddenly have events 5157, "Windows Filtering Platform blocked a connection" - why this? What is that?

    -> I only have found a solution and even a windows-patch of the event 5159, but I cannot find good informations about the error 5157...

    Thank you and kind regards

    David

    Friday, November 11, 2011 3:04 PM
  • Same troubleshooting steps apply.  I'd need to see the most recent output from "NetSh.exe WFP Show State" and the most recent 5157 event information.

    If you use notepad on the resultant xml, you can search for the Filter Run-Time ID: indicated by the event.  this will tell you which filter is causing the drop.

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, November 15, 2011 5:28 PM
    Moderator
  • Hi

    I did the Netsh-thing and cheched the ID in the xml - but cannot find this Filter Run-Time ID :-(

    So here is the event description (I used the "Details" Tab - xml-view - so there is also a time):

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
     <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
     <EventID>5157</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12810</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2011-11-16T17:18:28.575804500Z" />
    <EventRecordID>977498</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="220" />
    <Channel>Security</Channel>
    <Computer>vm-0020.LOOSLI.BIZ</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="ProcessID">312</Data>
    <Data Name="Application">\device\harddiskvolume2\windows\system32\lsass.exe</Data>
    <Data Name="Direction">%%14593</Data>
    <Data Name="SourceAddress">192.168.0.20</Data>
    <Data Name="SourcePort">63950</Data>
    <Data Name="DestAddress">192.168.0.6</Data>
    <Data Name="DestPort">88</Data>
    <Data Name="Protocol">6</Data>
    <Data Name="FilterRTID">0</Data>
    <Data Name="LayerName">%%14611</Data>
    <Data Name="LayerRTID">48</Data>
    <Data Name="RemoteUserID">S-1-0-0</Data>
    <Data Name="RemoteMachineID">S-1-0-0</Data>
    </EventData>
    </Event>

     

    Then the xml-file:

    http://www.file2send.de/download/KLeP0D2Paq8uDSX8SMnG8vpkxa16dfqout45TkWfs8kz6uq4DF9Dle95qQ..K
    -> Link valid until the 21st of November...

    The time od the event is 18:18 (time written above is wrong - probably due to daylight savings??? Time in server shown is correct, also time in the log itself is correct shown...), also the creation time of the file is 18:18...
    -> All time is CET

    Thank you and kind regards

    David

     


    Wednesday, November 16, 2011 5:31 PM
  • Being that the FilterRTID is not populated (i.e. 0), and the layer has no filters in it (look for <layerId>48</layerId> (line  5825 in the xml. line 5884 indicates this layer has no filters by using a closed tag <filters/>), I believe this is a drop issued by the stack.  To validate this, you can do the following:

    At an elevated command prompt, execute "Netsh.exe WFP Capture Start"
    Repro the event
    execute "NetSh.exe WFP Capture Stop"

    In the output, there will be a section for NetEvents which indicate whether the drop was due to a filter or the stack.  stack drops can occur because no endpoint is listening, invalid headers, etc.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, November 16, 2011 6:41 PM
    Moderator
  • Hi Dusty

    Thank yo for reply

    Ok, I tried to do, what you told me. Is it correct, that what you call an "elevated command prompt" means, opening cmd as Administrator?
    -> That's what I did...

    I still cannot handle that thing - so here another file2send...

    http://www.file2send.de/download/KLboksYVGjIOvLFwGBR4QNq2y1F4iryMy36NV8k_HBCG-UJ5vl8P7U2MIA..F

    Thank you very much for your help!

    David

    Wednesday, November 30, 2011 5:46 PM
  • considering I have exactly the same problem, it's gratifying to see that this thread was followed up to a successful conclusion, and documented here.
    Wednesday, December 25, 2013 3:28 PM
  • LOL!

    Hear you there. My Surface Pro has Remote Admin tools loaded on it, and has for months. Worked great since I loaded them until this morning. Thought my "Admin" account was locked. Checked events to see the same issues above pointing to my DC's.

    I love "closed" threads.

    Tuesday, December 31, 2013 5:30 PM
  • Please do the following:

       NetSh.exe WFP Capture Start

       Repro the event

       NetSh.exe WFP Capture Stop

    Send me a link to the resultant WFPDiag.cab ( DHarper @AT@ Microsoft .DOT. com )

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, December 31, 2013 9:53 PM
    Moderator
  • Please do the following:

       NetSh.exe WFP Capture Start

       Repro the event

       NetSh.exe WFP Capture Stop

    Send me a link to the resultant WFPDiag.cab ( DHarper @AT@ Microsoft .DOT. com )


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, January 07, 2014 10:24 PM
    Moderator