Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 11001 Source: MicrosoftFirewall

Level
Description
Microsoft Firewall failed. The failure occurred during Initialization of <process> because the configuration property of the key <registry key> could not be accessed. Use the source location <location id> to report the failure. The error code in the Data area of the event properties indicates the cause of the failure.

For more information about this event, see ISA Server Help.

The error description is: The system cannot find the file specified.
Comments
 
Process: "reverse Network Address Translation (NAT)" Key: [...]\ClientSetsExcluded - The error is generated only if you are publishing any servers. It is looking for a registry key called "ClientSetsExcluded" which it simply does not create when you create the publishing rule.
To fix it go into the properties of every one of your published servers and click the "Applies To" tab. On that tab there is an "Exceptions" area. Add a dummy client set to the exceptions. Hit ok and wait a few seconds, then go back in and remove the exception. Adding and removing the exception creates the registry key that it is looking for and the errors stop. To check that the registry has been successfully look in the event viewer, make a reference of the number after PNATServerMappings, go the in the registry, look for the matching number and see if ClientSetsExcluded has been created under the number.

For example for the above error I would make a reference of {E1F6B393-EF5A-4870-FF9-0AFA3DAFBF9D}in the event viewer and see if ClientSetsExcluded has been created under it in the registry and then move to next occurence of the error in the event viewer.
Process: "Reading packet filters" Key: [...]/Credentials - no info

Process: "reverse Network Address Translation (NAT)" - From a newsgroup post: "You have two server publishing rules that are failing because they can't locate the data set for "Client Sets Excluded" in the definition. Find the publishing rule name by opening the registry and drilling down to SOFTWARE\Microsoft\Fpc\Arrays\{879D0913-2135-4F40-A6B5-E767CA7560F7}\Publishing\PNATServerMappings\{SPRGUID} the entry "msfpcName" contains the name of the server publishing rule Locate that rule and edit the "Client Sets Excluded" data and re-save the rule. This should fix it."

From another post: "I applied SP1 to the ISA server and hotfixes 174 and 177 and the 11001 hasnīt popped up since."

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...