Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4294 Source: IPSec

The IPSec driver has entered Secure mode. IPSec policies, if they have been configured, are now being applied to this computer.
The IPSec Driver (%SystemDirectory%\drivers\ipsec.sys) is loaded at system startup, regardless of the startup setting for the IPSEC Service (PolicyAgent). The Driver has an OperationMode registry entry (REG_DWORD) under HKLM\SYSTEM\CurrentControlSet\Services\IPSec, which determines how the driver will function until/if the IPSEC Service starts. One of three System events will be logged almost a minute after EventLog's 6009 startup event, depending on the OperationMode setting and startup type for the IPSEC Service. Here's the driver registry settings and resulting System events:

OperationMode 0- Permit(Bypass). Causes Event 4295.
OperationMode 1- Block. Causes Event 4296.
OperationMode 2- (Reserved). Causes Event 4295.
OperationMode 3- Stateful. Causes Event 4297.

Event 4294 will occur once the IPSEC Service starts, about 8 seconds after the event for the Driver if the Service's startup type is Automatic.
Event 4295 (Bypass) will occur if the Service is Disabled, regardless of the OperationMode registry setting.

See ME254949, and the links to “Understanding IPSec Driver Startup Modes” and “Thread - Error contacting the DC server” for additional information.
When you try to open the Internet Protocol security (IPSec) Microsoft Management Console (MMC) policy on a Microsoft Windows Server 2003-based computer this event might be logged. A corrupted file in the policy store can cause this problem. An interruption that occurs when the policy is being written to the disk may cause the corruption. See ME870910 for more information about this situation.
See ME555281 for information on how to create offline L2TP/IPSec certificates.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.