The Windows Filtering Platform has blocked a packet - Process: dashost.exe

Question

Hi Guys,

I am getting quite a bit of event ID 5152 and 5157 on Windows 2012R2 terminal server. I just can't find any solid information. Can someone point me in right direction please?

Thanks so much in advanced.

///---------------------------------------------------
The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 1512
Application Name: \device\harddiskvolume2\windows\system32\dashost.exe

Network Information:
Direction: Inbound
Source Address: 10.5.3.49
Source Port: 58248
Destination Address: 239.255.255.250
Destination Port: 3702
Protocol: 17

Filter Information:
Filter Run-Time ID: 936101
Layer Name: Receive/Accept
Layer Run-Time ID: 44

Answer 1

Hi @James Nyunt

These Event-IDs indicate firewall filtering issues:

ID Message

5152 The Windows Filtering Platform blocked a packet.

5157 The Windows Filtering Platform has blocked a connection.

"Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked."

The meaning of the word 'connection' in Event 5157 is not the same as the connection in OSI model transport layer.

There are three kinds of flows that are defined as CONNECTION:

TCP ALE Flow

UDP ALE Flow (Protocols that are not TCP or ICMP are treated like UDP.)

ICMP ALE Flow

As UDP and ICMP are not connection-oriented protocols, the request and echo flows are defined as pseudo-connections here. In this case, WFP is dropping an ICMP packet and blocking a pseudo-connection (a request and echo flow) at the same time.

So, this should be expected.

For more information about ALE Filtering:

Application Layer Enforcement (ALE) Stateful Filtering

http://msdn2.microsoft.com/en-us/library/bb613463(VS.85).aspx

I do hope this answers your question.

Thanks.

--
--If the reply is helpful, please Upvote and Accept as answer--