locked
The Windows Filtering Platform has blocked a packet.

    Question

  • We setup 4 new DC's in our AD domain after we updated our schema to 2008 R2. The 4 new DC's are standard builds with all the latest updates applied and no changes to the default firewall settings or Group Policies. In our security logs we are getting thousands of 5152 audit failures.

    The Windows Filtering Platform has blocked a packet.

    Application Information:
          Process ID:            0
          Application Name:      -

    Network Information:
          Direction:            Inbound
          Source Address:            xx.xx.xx.xx
          Source Port:            7474
          Destination Address:      xx.xx.xx.xx
          Destination Port:            32775
          Protocol:            17

    Filter Information:
          Filter Run-Time ID:      68188
          Layer Name:            Transport
          Layer Run-Time ID:      13

    They are announcement broadcasts that are being dropped.
    According to this article I should be able to disable these so my event logs stop filling up.

    http://blogs.technet.com/instan/archive/2009/01/08/the-windows-filtering-platform-has-blocked-a-bind-to-a-local-port.aspx

    However, the logs start filling up again after a few hours or right away after a reboot. Looking for any suggestions out there. This article seems to be similar to what I have but it does not list R2 as one of the systems it is supposed to fix.

    http://support.microsoft.com/kb/969257
     Looking for someone who may have some experience with this.
    Wednesday, April 07, 2010 9:52 PM

All replies

  • Did you ever figure this out? I have no idea what to do.
    Thursday, June 17, 2010 4:08 PM
  • Try creating an Advanced Audit Policy in your Domain Controllers OU

    For more information:

    Planning and Deploying Advanced Security Policies: http://technet.microsoft.com/en-us/library/ee513968(WS.10).aspx

    Advanced Filtering Platform Packet Drop: http://technet.microsoft.com/en-us/library/dd941625(WS.10).aspx

     

    Once you've created one that turns off Auditing of Advanced Filtering Platform Packet Drop, run "gpupdate /force". The messages should go away.

    Likewise, you can create an Advanced Audit Policy in any OU in your Active Directory.

    • Proposed as answer by CameronMu Friday, June 25, 2010 12:10 AM
    Friday, June 25, 2010 12:01 AM
  • Protocol 17 means UDP trraffic. Looking at the port, looks like this is some kind of non-standard traffic.

    Check netstat -ano on the client and the DC. See what process is bound at the mahcine & sending the packet (source port) and DC (destination port). You can use task manager to know the process id.

    Yes, lets try http://support.microsoft.com/kb/969257

    Hope this helps.


    Regards, Amit Saxena. Keep Walking!
    Sunday, June 27, 2010 11:56 PM
  • Any updates on this please?
    Regards, Amit Saxena. Keep Walking!
    Friday, July 02, 2010 3:14 AM