Event log 36887

I receive the following event.....
A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 42. I cannot find much information on this. does anyone have any insight?
Thank you

Hi,
Did there run IIS on the server? This error message indicates the computer received an SSL fatal alert message from the server. It may be caused by accessing web site or the installation of third party web browsers or others. Did you remember any specific
operation that had been done before this issue occurred? For examples, install any third-party application or others? Please refer to following thread and check if can help you.
Event ID: 36887 Source: Schannel, Error: The following
fatal alert was received: 0.
In addition, please also refer to following KB and enable Schannel event logging, then check if get more clues.
How to enable Schannel event logging in IIS
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Similar Messages

Continuous "36888 Schannel Errors" in System Event Log when NOT connected to Internet

We are hoping someone will be able to assist with us this very strange issue please ?
We are using Windows 8.1 x64 Enterprise with Office 2013 and the latest Symantec Endpoint Proctecion v12.1.5 installed. They are managed using SCCM2012 in a large AD domain environment
When our workstations are NOT connected to the internet (only local intranet) the following errors appear in SYSTEM event log almost continuously (several times a minute).
Event ID:36888 User: SYSTEM OpCode:Info Level:Error Source:SChannel
"A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows Schannel error state is 11."
The process associated with these events is "Local Security Authority Process"
When an internet connection is enabled for these machines these 36888 errors will suddenly stop !.
An event "Error 36887 "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40." Is also occurring on these machines but only occasionally.
As a result, We suspect there must be a process continuously attempting to connect to an internet service and failing ?.
Some of the things we have tried so far;
- We have disabled all non-essential services (e.g. Windows Store Service) one by one but this didn't fix.
- We have tried disabling Tile updates on Start
- We have tried a bunch of different Group Policy settings to disable different combinations of TLS/SSL in IE config.
- We have searched the internet forums and tried some suggested fixes but this combination of error state and error code seems unique ?.
It doesn't happen on our Windows 7 x64 workstations that have much same apps & configuration.
Any advice or suggestions would be greatly appreciated !
Thanks.

Hi Makes006,
This Event ID 36888 occurs if a user tries to access a web site using HTTP but specifies an SSL port in the URL.
We can try clean boot to troubleshoot whether this issue is caused by a third party program .
How to perform a clean boot in Windows
http://support.microsoft.com/kb/929135
If there is no sensible impacts on operating the machines ,we can try to disable this log by modify the following registry key value to 0.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
For more information, please refer to the following link:
How to enable Schannel event logging in IIS
http://support.microsoft.com/kb/260729
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Schannel errors on three of my DC's; Event ID 36887, Alert 46

I too am recieving the elusive schannel errors on three of my DC's, Event ID 36887, Alert 46. They only happen occasionally, at seemingly arbitrary times.
All three are Domain Controllers only; no IIS installed, no Exchange servers. No one logs in to these and browses from them (yes, I checked the event logs). There are no third party browsers installed. I have even tried disabling TLS
in the IE settings, no luck (not sure how or wy that would even work).
I have read as many forum posts as I can on this, and am still no closer to understanding what is going on.
How do I track this down?
EventID : 36887
MachineName : DCXY.Domain.us
Data : {}
Index : 27206
Category : (0)
CategoryNumber : 0
EntryType : Error
Message : The following fatal alert was received: 46.
Source : Schannel
ReplacementStrings : {46}
InstanceId : 36887
TimeGenerated : 3/26/2012 7:21:36 AM
TimeWritten : 3/26/2012 7:21:36 AM
UserName : NT AUTHORITY\SYSTEM
Thanks!

I REALLY NEED HELP! I AM NEW TO THIS LAPTOP, AND I DO NOT UNDERSTAND THIS IN MY EVENT VIEWER, IT SHOWS FATAL ERROR:
Provider
Name]
Schannel
Guid]
{1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID
36887
Version
0
Level
2
Task
0
Opcode
0
Keywords
0x8000000000000000
TimeCreated
SystemTime]
2014-01-12T21:23:37.220815100Z
EventRecordID
5190
Correlation
Execution
ProcessID]
660
ThreadID]
6336
Channel
System
Computer
5CD3182MR2
Security
UserID]
S-1-5-18
EventData
AlertDesc
40
I REALLY NEED HELP WITH THIS I AM ON A NEW LAPTOP AND DONT UNDERSTAND!! PLEASE ADVISE OR HELP!!

Schannel errors on our Primary DC's; Event ID 36887, Alert 46

I have one of my 4 Domain Controllers that is getting this EventID 36887 error every 60 seconds since our DC cert auto-renewed itself. The internal CA is running on an non-DC server. How do I determine what's triggering this alert so that I can
squash it? This alert is from the System Event logs on our Primary 2008 R2 DC (ORLDC01.cnlgroup.com).
Log Name:      System
Source:        Schannel
Date:          1/13/2014 5:06:56 PM
Event ID:      36887
Task Category: None
Level:         Error
Keywords:
User:          SYSTEM
Computer:      ORLDC01.cnlgroup.com
Description:
The following fatal alert was received: 46.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36887</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-13T22:06:56.581253200Z" />
    <EventRecordID>493191</EventRecordID>
    <Correlation />
    <Execution ProcessID="552" ThreadID="1848" />
    <Channel>System</Channel>
    <Computer>ORLDC01.cnlgroup.com</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData>
    <Data Name="AlertDesc">46</Data>
</EventData>
</Event>

Hi,
Based on my research, the error code which means certificate_unknown(46), to find out what triggered this alert. I think you need capture a network trace while getting this error. More information please refer below article:
How to use Network Monitor to capture network traffic
http://blogs.msdn.com/b/ssasfaq/archive/2012/09/17/how-to-use-network-monitor-to-capture-network-traffic.aspx
If there have no impact related this error, we can safely ignore this error. Otherwise, to address this error we might need capture ETL trace and networks trace. It is not an efficient way to work in this community since we may need more resources, if need
further troubleshooting I would like to suggest you submit a service request to MS Professional tech support service so that a dedicated Support Professional can further assist with this request.
Please visit the below link to see the various paid support options that are available to better meet your needs.
http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
Thanks

Event ID 36887 Schannel - fatal alert code 49

Use process explorer and refer to the PID in the event log. This should at least tell you what program is creating the event, narrowing down the cause a bit.

Windows Server 2012 R2 Hyper-V VM Fileserver.
Have these errors happening consistently in event viewer every 2 to 3 minutes.
Am not running web server, just a file server.
Any ideas on how to track this down?
Not seeing much info on 36887 with code "49"
Anyone else had/solved this problem?
This topic first appeared in the Spiceworks Community

Event ID 36887, Schannel 45

Hi,
I've been noticing the following in the Event Log:
Event 36887, Schannel
The following fatal alert was received: 45
Log Name - System
Source - Schannel
Event ID - 36887
Level - Error
User - System
OpCode: Info
It points to an expired certificate, the thing is there are no expired certificates on this server. The one SSL cert that I do have (for our RMM tool/IIS) is good until 2017 and has been on the system since 2012.
I ran DigiCert's utility for finding expired certificates to confirm this.
We thought it may be related to ConnectWise (our PSA) and had that certificate re-issued (although it was good for a couple more years also) and it made no change. I get the errors about once per 5 minutes on this server. It's running Server
2008 R2 and is fully patched.
Any ideas on how I can track down what certificate, if any, is causing this error?
Thanks,
Marc

Hi Marc,
I am sorry for the delay.
Are there any related error messages logged under Application Logs?
If not, then we can safely ignore this message, please refer to some related links below:
event id 36887, alert 45
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6cd9c7dd-140a-4779-9d8e-1059f7769cba/event-id-36887-alert-45?forum=winserversecurity
36887 Event Id
http://social.technet.microsoft.com/Forums/windowsserver/en-US/4b138f13-5c5c-43f5-80b5-bcc50bc4be60/36887-event-id?forum=winservergen
SSL/TLS Alert Protocol & the Alert Codes
http://blogs.msdn.com/b/kaushal/archive/2012/10/06/ssl-tls-alert-protocol-amp-the-alert-codes.aspx
I hope this helps!
Best Regards,
Amy Wang

I have a HP LaserJet M4555h MFP, how do I know if my firmware is corrupt, is it in the event log?

Model of MFP = HP LaserJet M4555h MFP = CE738A
With fax accessory for HP LaserJet MFP Analog 500 = CE737A
Firmware Datecode = 20120623
Firmware Revision = 2200643_228339
The inital issue was receiving faxes, so I updated the firmware to the above listed. In the event log it shows since the firmware was updated on Nov 7th the following:
The device keeps prompting to restart the printer.... I haven't been able to screen capture the message off the device yet... on the Information tab through the EWS it's shown: "An unexpected error occurred. We apologize for the inconvenience. Please try again." What is that suppose to mean?
Faxing has stopped working completely....
Can you tell me if this means the firmware is corrupt and show be re-loaded?
Or suggest what my next steps would be?
Anything is helpful...Thanks HP Seeker.

Hello, you can also try a partial clean and reload the latest firmware, see if that will work.

I wonder to know what is the enterprise solution for windows and application event log management and analyzer

Hi
I wonder to know what is the enterprise solution for windows and application event log management and analyzer.
I have recently research and find two application that seems to be profession ,1-manageengine eventlog analyzer, 2- Solarwinds LEM(Solarwind Log & Event Manager).
I Want to know the point of view of Microsoft expert and give me their experience and solutions.
thanks in advance.

Consider MS System Center 2012.
Rgds

Unable to stop the event logs on access point console

Hi team,
I have an AIR-LAP1131AG-E-K9 access point having ios c1130-k9w8-mx.124-21a.JHB1.
When I am trying to take the console of it there are many logs generated like LWAPP ...Go join the controller, Discover controller etc. and the ap is unable to register to the controller(2112 with ios version 6.0.199.4). I'm trying to enter the command but there are many event msg generated....How do i stop this event log. I tried entering the command no debug all. but still there are many logs...
I want to enter the the following commands
#lwapp ap ip address <ip addr>.
#lwapp a pip default-gateway <gateway ip addr>
#lwapp ap controller ip addr <controller ip>
#wr me
Revert me back on urgent basis
Thanks in advance..

Thanks Rashika,
Now the access point got registered to the controller..This happened becuse of country Code..
I have changed the country code to UK, Belgium it started working fine.
Initially when it was IN the access point was not getting register..
But now the problem which arised is that the user is unable to get authenticated to the radius server.
Radius server is reachable and we have done every changes required for radius server authentication.
Users are getting rejected.
Customer is saying that the radius server is in IN domain and the WLC/access point is in UK,BE and hence the users are unable to connect..
Is it so??
Rply
Thanks in advance...

Lots of Anyconnect Error Message in Windows Event Log

Hi Community.
We have lots of Anyconnect Error Messages in the Windows Event Log. Following two examples.
Can anyone tell me why these errors appears and how do I fix them ? I already installed the newest Anyconnect on my machine.
Thanks in advance and Kind Regards Patrick
Example 1
<Provider Name="acvpnagent" />
<EventID Qualifiers="9216">2</EventID>
<Keywords>0x80000000000000</Keywords>
<EventRecordID>97564</EventRecordID>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
- <EventData>
<Data>Function: CNetEnvironment::logProbeFailure File: .\NetEnvironment.cpp Line: 1432 Invoked Function: CHttpProbeAsync::SendProbe Return Code: -27066354 (0xFE63000E) Description: HTTP_PROBE_ASYNC_ERROR_CANNOT_CONNECT HTTP (host: 109.164.211.237)</Data>
</EventData>
Example 2
<Provider Name="acvpnagent" />
<EventID Qualifiers="9216">2</EventID>
<Keywords>0x80000000000000</Keywords>
<EventRecordID>97565</EventRecordID>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
- <EventData>
<Data>Function: CNetEnvironment::TestAccessToSG File: .\NetEnvironment.cpp Line: 1385 Invoked Function: CNetEnvironment::analyzeHttpResponse Return Code: -28966899 (0xFE46000D) Description: NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target</Data>
</EventData>

HI and welcome to Discussions,
in my personal opinion there is not much for you to worry about.
The 'Windows Tool for the elimination of malware' is nothing you miss as long as you have a decent Anti-Virus Software running.
The update for the IE 7 might be missing an installed IE 7, which can do by downloading it yourself from Microsofts webpage.
If you don't use the IE but something like Firefox or Opera or Safari, than don't bother with these update.
Stefan

How to write to windows event logs from determinations-server under IIS

This is just an FYI technical bit of information I wish someone had shared with me before I started trying to write OPA errors to the windows event log... Most problems writing to the windows event log from log4net occur because of permissions. Some problems are because determinations-server does not have permissions to create some registry entries. Some problems cannot be resolved unless specific registry entry permissions are actually changed. We had very little consistency with the needed changes across our servers, but some combination of the following would always get the logging to the windows event log working.
To see log4net errors as log4net attempts to utilize the windows event log, temporarily add the following to the web.config:
<appSettings>

<add key="log4net.Internal.Debug" value="true"/>
</appSettings>
<system.diagnostics>
<trace autoflush="true">
<listeners>
<add
name="textWriterTraceListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="logs/InfoDSLog.txt" />
</listeners>
</trace>
</system.diagnostics>
To add an appender for the windows event viewer, try the following in the log4net.xml:
<appender name="EventLogAppender" type="log4net.Appender.EventLogAppender" >
<param name="ApplicationName" value="OPA" />
<param name="LogName" value="OPA" />
<param name="Threshold" value="all" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
<filter type="log4net.Filter.LevelRangeFilter">
<levelMin value="WARN" />
<levelMax value="FATAL" />
</filter>
</appender>
<root>
<level value="warn"/>
<appender-ref ref="EventLogAppender"/>
</root>
To put the OPA logs under the Application Event Log group, try this:
Create an event source under the Application event log in Registry Editor. To do this, follow these steps:
1.     Click Start, and then click Run.
2.     In the Open text box, type regedit.
3.     Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
4.     Right-click the Application subkey, point to New, and then click Key.
5.     Type OPA for the key name.
6.     Close Registry Editor.
To put the OPA logs under a custom OPA Event Log group (as in the demo appender above), try this:
Create an event log in Registry Editor. To do this, follow these steps:
1.     Click Start, and then click Run.
2.     In the Open text box, type regedit.
3.     Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4.     Right-click the eventlog subkey, point to New, and then click Key.
5.     Type OPA for the key name.
6.     Right-click the new OPA key and add a new DWORD called "MaxSize" and set it to "1400000" which is about 20 Meg in order to keep the log file from getting too large.
7.     The next steps either help or sometimes cause an error, but you can try these next few steps... If you get an error about a source already existing, then you can delete the key.
8.     Right-click the OPA subkey, point to New, and then click Key.
9.     Type OPA for the key name.
10.     Close Registry Editor.
You might need to change permissions so OPA can write to the event log in Registry Editor. If you get permission errors, try following these steps:
1.     Click Start, and then click Run.
2.     In the Open text box, type regedit.
3.     Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4.     Right-click the EventLog key, select Permissions.
5.     In the dialog that pops up, click Add...
6.     Click Advanced...
7.     Click Locations... and select the current machine by name.
8.     Click Find Now
9.     Select both the Network user and IIS_IUSERS user and click OK and OK again. (We never did figure out which of those two users was the one that fixed our permission problem.)
10.     Change the Network user to have Full Control
11.     Click Apply and OK
To verify OPA Logging to the windows event logs from Determinations-Server:
Go to the IIS determinations-server application within Server Manager.
Under Manage Application -> Browse Application click the http link to pull up the local "Available Services" web page that show the wsdl endpoints.
Select the /determinations-server/server/soap.asmx?wsdl link
Go to the URL and remove the "?wsdl" from the end of the url and refresh. This will throw the following error into the logs:
ERROR Oracle.Determinations.Server.DSServlet [(null)] - Invalid get request: /determinations-server/server/soap.asmx
That error should show up in the windows event log, OR you can get a message explaining why security stopped you in "logs/InfoDSLog.txt" if you used the web.config settings from above.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
Edited by: Paul Fowler on Feb 21, 2013 9:45 AM

Thanks for sharing this information Paul.

Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2

I got the following problem:
I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.
Also, SQL Agent Service won't run
The only change that day was security
update KB2964444 - Security
Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...
When I try to start Windows Event Log via net
start eventlog or via Services
panel, I get an error:
C:\Users\Administrator>net start eventlog
The Windows Event Log service is starting.
The Windows Event Log service could not be started.
A system error has occurred.
System error 2 has occurred.
The system cannot find the file specified.
I tried:
restarted the OS (virtual on the host's VMWare).
re-checked the settings in services menu -they are like in the link.
checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog -
the identity is NT
AUTHORITY\LocalService
gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
ran fc /scannow - Windows Resource Protection did not find any integrity violations.
went to the file %windir%\logs\cbs\cbs.log -
all clean, [SR] Repairing 0 components
EDIT: Uninstalled the recent system updates and rebooted - didn't help
EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):
filters:
process name is svchost.exe : include
operation contains TCP : exclude
the events captured are:
21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088
21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read
21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS
21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read
21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS
21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS
21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS
21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
NOTE: previoulsy, for
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also got NAME
NOT FOUND error ,so I created the new string value for the Parameters with
the name ServiceDll and
data %SystemRoot%\System32\wevtsvc.dll (copied
from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key)
and this event now is
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also checked for the presence of wevtsvc.dll in
the place and it's there.
Also, I tried to capture all events with path containing 'event' and
got following events firing every several seconds:
21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16
21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268
21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
Also, I tried to capture all the events containing 'file',
excluding w3wp.exe,
chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start
the event logger (if run from cmd - there are several hits by net executable,
not present if run from the panel).
What can be done?

Hi,
I don’t found the similar issue, if you have the IE 11 please try to update system automatic or install the MS14-029 update.
The related KB:
MS14-029: Security update for Internet Explorer 11 for systems that do not have update 2919355 (for Windows 8.1 or Windows Server 2012 R2) or update 2929437 (for Windows 7
SP1 or Windows Server 2008 R2 SP1) installed: May 13, 2014
http://support.microsoft.com/kb/2961851/en-us
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Questions about BT Home Hub 4A event log - WIFI c...

Hope someone can help please ?
I had BT inifinity installed 2 weeks ago with the HH 4 (type A) and everything has worked - connection found, no problem.
This week, my ipod touch was unable to join the network but the iphone 5, another ipod and a tablet could connect without a problem. The ipod touch managed to connect to another WIFI used at the property and my work wifi without a problem.
I thought it maybe the ipod touch as it was quite old but that doesn't make sense since it connects fine to other networks. I restored network settings and other options suggested by Apple but to no avail.
I have turned my attention to the Hub. My laptop (older than the ipod touch) gets the connection no problem along with the other devices. I went into the hub management page but I am not smart enough to decifer the event log so would like some help so I can fix this because I thought BT infinity was the better more reliable option?
The ipod touch Wifi IP address is 00:25:00:b7:35:f6.
On the event log, it shows STA before the address - but it shows STA before all the device IP addresses. Should I change this to DCHP ? or is this (Static ? alright)
The Lease on all the devices on the event log is set to 1440 min. (1 day) is that alright too, what does it mean ?
Do I have to keep renewing the lease ? How do I do that ? I read it can be set to 21 days ?
Going back to the IP address on the ipod it shows the Hostname as 00:25:00:B7:35:f6-2 this is different to the IP address with the -2. Could that be a cause of the unable to join network or is it because I attempted to recreate the network on the ipod so its the second version of that host name ?
Is there any setting I can change to fix this because I am concerned the same this will happen to the other devices and then the laptop....
What do I need to do to be able to get my ipod touch to connect to the BT network setting ?
I think its the hub 4A causing the 'block' on the ipod touch not the device and I think its maybe a matter of changing a setting - but then why was it all fine before when Infinity was first installed ?
Lastly my laptop (7 Years old) seems to be attached to the 5GHZ Wireless channel - is that alright ? The other more recent devices are on the 2.4ghz channel (except the ipod touch which isn't on any !!)
Is it alright to turn the hub on / off ? -I am resisting that because I don't want to make the situation worse.
Sorry but what does client disassociated mean and all the BLOCKS - do they relate to firewall ?
Please can you review the event log and my questions ?
Many thanks
angie 2601
The time frame is 3.55am 8/8/2013 - 7.16 am 8/8/2013
(Latest (7.16am) at the top
Message
07:16:39, 08AUG
(1224785.050000) Admin login successful by 192.168.1.64 on HTTP (1224766.610000) Admin login FAILED by 192.168.1.64 on HTTP (1224648.050000) New GUIsession from IP 192.168.1.64
(1224466.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disassociated
(1224362.750000) lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1224362.750000) Device connected: Hostname:Unknown-d8:d1:cb:ec:a6:feiP:
192.168.1.65 MAC:d8:dl:cb:ec:a6:fe lease time: 1440 min. link rate:90.0 Mbps
(1224362.690000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
(1224241.150000) lease for IP 192.168.1.64 renewed by host FAMILY (MAC
00:13:02:de:6d:e6). Lease duration:1440 min
(1224241.150000) Device connected: Hostname: FAMii.Y IP:192.168.1.64 MAC:
00:13:02:de:6d:e6 Lease time: 1440 min. link rate: 54.0 Mbps
(1224241.090Cl00) Lease requested
wlan1TA 00:13:02:de:6d:e6 IEEE 802.11:Client associated
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:34905->31.13.72.38:443 on ppp1)
(1223644.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlanl: STA d8:d1:cb:ec:a6:-fe IEEE 802.11:CHent diSassociated
(1223489.390000) Lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1223489.380000) Device connected:Hostname:Unknown-d8:dl:cb:ec:a6:fe IP:
192.168.1.65 MAC: d kd1:cb ec:-a6-:fe Lease time: 1440 min. Link rare: 90.0 Mbps
(1223489.330000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client associated wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disasSociated
wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
OUT;BLOCK [9] Packet i valid in connection (TCP
192.168.1.66:34375->31.13.72.38:443 on pppl)
l'N':BLOCK [16-} Remote administration {ICMP type 8 code 0
117.1.42.94->86.182.228.205 on ppp1)
IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:44156 on ppp1) IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:36615 on ppp1)
OUT: BLOCK [9] Packet invalid in connection (TCP
192.1-68.1.68:49476->173.252.103.16:443 OR ppp1)
BLOCKED 5 more packets (because of Packet invalid in connection) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.68:49443->95.100.195.205:443 on ppp1)
OUT:BLOCK {9] PaCket invalid in connection (TCP
192.168.1.68:49438->95.100.194.217:443 on ppp1)
IN:BLOCK [9] Packet invalid in connection (TCP
95.100.194.217:443->86.182.228.205:49444 on ppp1)
(1222111.810000) Lease for IP 192.168.1.68 renewed by host Unknown-
70:56:81:46:bf:d9 (MAC 70:56:81:46:bf:d9).Lease duration:1440 min
(1222111.810000) Device connected:Hostname:Unknown-70:56:81:46:bf:d9 IP:,
192.168.1.68 MAC:70:56:8:t:46:bf:d9lease time:1440 min. Link rate:52.0 Mbps
(1222111.750000) Lease requested .-
wlanO: STA 70:56:81:46:bf:d9 IEEE 802.11: Client associated • (1222093.690000) Device dlsconn: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168. MAC: 00:25:00:b7:35:f6 wlanoTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66-:43272->31.13.72.33:443 on ppp1)
221969.130000) lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1221969.130000} Devicconnected: Hostname·:Unknowwoo·:25:00:b7 35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1221969.070000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
(1220365.290000) Device disconnected: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1220348.230000) Lease for IP 192.168.1.67 renewed by host Unlmown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6).lease duration: 1440 min
(1220348.230000) Device connected: Hostname:Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1220348.170000) lease requested
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
IN: BLOCK f16] Remote administration (TCP
123.151.42.61:12233->86.182.228.205:8080 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
:t92.Hi8.1.66:53813->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:43989->31.13.72.33:443 on ppp1)
IN: BLOCK [16] Remote administration (ICMP type 8 rode 0
2.7.251.109.227->86.182.228.205 on pppl)
(1216770.650000) Device disconnected:Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6
OUT:BLOCK [9j Packet invalid in connection (TCF
192.168.1.67:49180->74.125.136.109:993 on ppp1)
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1216753.280000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1216753.270000) Device connected: Hostname: Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25.:00-:.b7.:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1216753.220000) lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client assodat
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:55944->23.21.78.229:443 on ppp1)
OUT: BLOCK [9J Packet invafid in connection (TCP
192.168.1.66:34794->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:41441->31.13.72.33:443 on ppp1)
{1213176.020000) Device disconnected:.Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC:00:25:00:b7:35:f6 wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client disassociated
(1213158.410000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min _./:\ (1213158.400000) Device connected:Hostname:Unknown-00:25:00:b7:35:ftt.Y IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min.Unk rate: 54.0
Mbps
(1213158.340000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client associated
OUT:BLOCK (9] Packet invalid in connection (TCP
192.168.1.66:59767->176.34.180.243:443 on ppp1) OUT;BLOCK [9] P.acket invalid in connection {TCP
192.168.1.66:56075->31.13.72.33:443 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66 581:1:0->31.13.72.33:443 on ppp1)
BL.OCKED 2 more packets (because of Packet invalid in connection) OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:56251->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:36959->31.13.72.33:443 on ppp1)
BlOCKED 1more packets (because of Packet invalid in connection)

It could be that the Ipod touch is having problems with both the 2.4GHz and 5GHz frequencies being named the same. If you give them separate SSids it may help. ie add a 5 to the 5GHz SSid.
If you do this you will need to re-connect all your devices that can see both frequencies to both SSids so that they will swap between the frequencies seamlessly when ever they need to
See link how to change SSid.
http://bt.custhelp.com/app/answers/detail/a_id/44504/related/1/session/L2F2LzEvdGltZS8xMzc1OTY2ODIxL...
Once you have changed the SSid I would delete the network connection on the Ipod touch and start again.

Warning on Event Log of Aironet 1300 Bridge

I've been getting warning messages from the event log of a 1300 series bridge, which is set as an Access Point in the network, states: 'Packet to client (mac address) reached max retries, removing the client'; I'm not sure why the client is removed. Does 'reached max retries' mean that the client has tried to many times to connect to the AP/Bridge? What are other possible reasons why?

It means the AP has attempted to send a packet to the client and has not received an ack from it. The AP assumes the client is no longer in range of it and disconnects it.
Sent from Cisco Technical Support iPad App

How To Block logging of 405's to Event Log?

I've got a webserver accessible to the outside world that comes under constant vulnerability scans, many of which involve accessing .exe filetypes.
When any of these scans are made, not a 404, but a 405 error message is generated.
Each 405 is stored in the event log, clogging up the eventlog and making it difficult to search for useful information.
Is there any way to block 405 error messages from being put into the event log or perhaps a way to force a 404 error message in such cases?
I do use some CGIs so altering .exe in mime.types won't do. I'm running win2k adv. server.
-R

The customary way to force the server to return a 404 for an arbitrary resource is to use the deny-existence SAF. However, deny-existence will itself log a message each time a "denied" resource is requested, so this probably isn't what you want.
Fortunately, there are numerous ways to address the issue. One possibility is redirecting accesses to these resources elsewhere, e.g. to your web site's front page. The following 3 lines could be added to the end of obj.conf to redirect requests for URIs that end in "/system32/cmd.exe":
<Object ppath="*/system32/cmd.exe">
NameTrans fn="redirect" from="/" url="/"
</Object>

Event log 36887

Similar Messages

Maybe you are looking for