Event Viewer - Failure Audit

  Guesswho 12:13 07 Nov 2005

Event Viewer often shows a Failure Audit Event I.D. 615 when I've been on the internet with a dial-up connection.
There is a reference to IPSec services and a suggestion to run IPSec monitor snap-in to further diagnose the problem.
I am not aware of any problem while I'm on the internet. I want to understand what this is all about and resolve it.
Does anyone know where I can read up on TCP/IP issues?
I'm running XP, not on a network, with AVG, Spybot and and Micro Antispyware.

  Chegs ® 12:17 07 Nov 2005

click here

Should be something your after in this little lot.

  Guesswho 19:26 07 Nov 2005

Many thanks, Chegs.
I have noted the various sites and will proceed to slowly try to climb the learning curve!
Bearing in mind that only old me uses this computer and that it's not on a network, are you able to suggest with your knowhow, if these Event Viewer ID615 notices are anything to worry about?

  Chegs ® 20:07 07 Nov 2005

click here

Goes into IPSec in huge detail,offers several possible solutions and nears end with a bit of infighting ultimately finalizing with "Why do we get this IPsec error in the event viewer?"

Good Luck

  Guesswho 21:13 07 Nov 2005

Hi Chegs.
Thanks again for replying. Pity it's an expensive site!

  Chegs ® 21:50 07 Nov 2005

1. Start

2. Choose RUN

3. Input MMC

4. Press ENTER

1. Start IP Security Policy Management snap-in

2. RightClick IP Security Policies on Local Computer

3. Choose All Tasks

4. Choose Restore Default policies

do the same (2-4) with User Configuration

The error your getting doesn't indicate you've been hacked (Sorry trywaredk, but there is simply not enough correlating information to draw that conclusion YET. You would need to at least correlate that with login auditing info and , if your setup for it, file access auditing information. In addition you should check your IPSEC enviroment for further clues).

The IPSEC policy "manager" applies or refreshes IPSEC policies at certain intervals. When your dialup connection is disconnected the "manager" can no longer apply IPSEC policy to that interface and gives you the warning your getting in the event viewer. ( this is my first conclusion and what I would check first)

So the questions to ask yourself is "Do you have any IPsec policies?" and "are they setup to be applied to your dialup connection?"

To check the last one, open the properties of your dialup connection and click the "networking" tab. Now highlight "Internet Protocol TCP/IP" and click "Properties". On the second window that opens click "advanced" and then click the "options" tab. Now highlight "IP security" and hit "properties" again. Make sure, on this 3rd page that "do not use IPsec" is clicked. Note: ONLY click this option if you wish NOT to use IPSEC for this connection).

If your NOT using IPSEC then you can disable all IPSEC "services" in the "Services" applet. Of course you'll have to manually enable them if you change your mind later.

To use the "IPSEC monitor" open your "run" box and type "MMC". Click "file" at the top of the window and then click " add/remove snapin". On the second window that opens click "add" and see if "IPSEC Security monitor" is listed. If it is click it and choose "add" and then "close" and then "ok" to add the plugin to your MMC console. ( I'll stop here..lets see if you even have the plugin first :) )

By default the IPSEC policies you see listed in the "Local security policy" applet ( client, server and secure server) are not enabled ( you should see "no" in the "policy assigned" colume). Is this what you see?

I could see the whole page,so I've copy/pasted into word then spent awhile editing out the irrelevant bits,to get the post above.If it doesn't help you,I will continue to edit the rest of the document(15 pages including adverts)and see if I can get anything further.

  Mr Beeline 22:05 07 Nov 2005


Must admit that I've seen this on just about every Windows XP machine with an Internet connection that I've ever used (including my current machine)and I've always just ignored it. Though must admit that I to have wondered quite what was going on.

  Guesswho 14:15 08 Nov 2005

Hi Chegs.
I do appreciate all your efforts.
I've copied your note into Word. When I've worked thro' it I'll get back to you.
Many thanks.

  bretsky 14:24 08 Nov 2005


  Guesswho 15:08 08 Nov 2005

Right Cheg.
When I first ran mmc, got the Console 1 window showing a folder "Console Root" and under 'Name' in the right hand panel it showed: "There are no items to show in this view."
But then when I followed your instructions to click on File etc I've got to the stage where Console Root now shows IP Security Monitor.
So far so good.
You will perhaps appreciate that I am well out of my depth, so I look forward to having your next instalment which I hope will not be too difficult!
I should point out that when I went into "Internet Protocol TCP/IP" > "Properties" > "Advanced" the 3 tabs available were: General, DNS and WINS. There didn't seem to be an "Options" tab with IP security.

  Chegs ® 16:24 08 Nov 2005

Your as out of your depth with this as me. :-)

I wouldn't worry unduly about it,although it would be nice to know howto resolve it as I kinda into security problems.

RightClick IP Security Policies on Local Computer

All Tasks/Restore Default Policies,a box appears asking if your sure,click yes.

Restart PC and check the Event Viewer log again.If its still showing a fault,I'm darned if I know where you go next. :-)

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

AMD Radeon Adrenalin release date, new features, compatible graphics cards

Inside the iMac Pro - Apple's most powerful Mac yet

iMac Pro release date, UK price & specs

Football : comment regarder la Ligue 1 en direct ?