ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing IPsec event logs and network connection status
Event ID 4948InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4948 – Microsoft-Windows-Security-Auditing: IPsec Main Mode Security Association Established

Event ID 4948 indicates successful establishment of an IPsec Main Mode security association between two endpoints, confirming secure tunnel creation for encrypted network communications.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4948Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4948 represents a successful IPsec Main Mode negotiation completion in Windows security auditing. IPsec Main Mode is the first phase of the Internet Key Exchange (IKE) protocol, responsible for establishing a secure channel between two IPsec peers before any actual data transmission occurs.

During Main Mode negotiation, both endpoints authenticate each other using certificates, Kerberos tickets, or pre-shared keys, then negotiate encryption algorithms, hash functions, and Diffie-Hellman groups for key generation. Once this phase completes successfully, Windows logs Event ID 4948 with comprehensive details about the established security association.

The event includes crucial information such as the source and destination IP addresses, authentication methods used, encryption algorithms selected, and the security association's lifetime parameters. This data proves invaluable for troubleshooting IPsec connectivity issues, validating security policy compliance, and maintaining audit trails for regulatory requirements.

In Windows Server 2025 and Windows 11 24H2, Microsoft enhanced the event logging to include additional cryptographic details and improved correlation with related IPsec events. The event now provides better visibility into the negotiated security parameters, making it easier to identify potential security weaknesses or policy misconfigurations in your IPsec deployment.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Successful IPsec policy negotiation between domain-joined computers implementing server or domain isolation
  • VPN client establishing secure tunnel connection to Windows RRAS server or DirectAccess infrastructure
  • Site-to-site IPsec tunnel establishment between branch offices or partner organizations
  • Windows Firewall with Advanced Security triggering IPsec authentication for specific connection security rules
  • Third-party IPsec client successfully authenticating with Windows-based IPsec gateway
  • Automatic IPsec SA refresh occurring when existing security associations approach expiration
  • Network adapter or routing changes triggering new IPsec negotiations for existing policies
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the complete event details to understand the IPsec negotiation parameters and endpoint information.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4948 using the filter option or search functionality
  3. Double-click the most recent Event ID 4948 entry to view detailed information
  4. Review the following key fields in the event details:
    • Local Address: Your system's IP address in the IPsec negotiation
    • Remote Address: The peer system's IP address
    • Authentication Method: Kerberos, Certificate, or Pre-shared Key
    • Main Mode Crypto Suite: Encryption and hash algorithms used
    • SA Lifetime: How long the security association remains valid
  5. Note the timestamp to correlate with network connectivity issues or policy changes
  6. Check for corresponding Event ID 4949 (Main Mode SA deleted) to understand SA lifecycle
Pro tip: Export multiple 4948 events to CSV for pattern analysis across different time periods or network segments.
02

Use PowerShell to Query and Analyze IPsec Events

Leverage PowerShell to efficiently query and analyze IPsec Main Mode events across multiple systems or time ranges.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4948 entries with detailed information:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4948} -MaxEvents 20 | Select-Object TimeCreated, Id, @{Name='RemoteIP';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Remote Address:*'}) -replace '.*Remote Address:\s*',''}}, @{Name='AuthMethod';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Authentication Method:*'}) -replace '.*Authentication Method:\s*',''}}
  3. Filter events by specific remote IP addresses to track connections from particular endpoints:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4948; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -like '*192.168.1.100*'}
  4. Count IPsec establishments by hour to identify peak usage patterns:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4948; StartTime=(Get-Date).AddDays(-7)} | Group-Object @{Expression={$_.TimeCreated.ToString('yyyy-MM-dd HH:00')}} | Sort-Object Name
  5. Export detailed IPsec event data for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4948; StartTime=(Get-Date).AddDays(-30)} | Select-Object TimeCreated, Message | Export-Csv -Path 'C:\Temp\IPsec_Events.csv' -NoTypeInformation
03

Verify IPsec Policy Configuration and Status

Examine the underlying IPsec policies and current security associations to ensure proper configuration and operation.

  1. Check active IPsec policies using netsh:
    netsh ipsec static show all
  2. View current Main Mode security associations:
    netsh ipsec dynamic show mmsas
  3. Examine Quick Mode SAs that depend on the Main Mode associations:
    netsh ipsec dynamic show qmsas
  4. For Windows Firewall with Advanced Security, check connection security rules:
    Get-NetIPsecRule | Where-Object {$_.Enabled -eq 'True'} | Select-Object DisplayName, Profile, Action
  5. Verify IPsec service status and configuration:
    Get-Service -Name 'PolicyAgent' | Select-Object Name, Status, StartType
  6. Review Group Policy IPsec settings if domain-joined:
    • Open Group Policy Management Console
    • Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsIP Security Policies
    • Verify assigned IPsec policies match your security requirements
Warning: Modifying IPsec policies can disrupt network connectivity. Always test changes in a lab environment first.
04

Monitor IPsec Performance and Troubleshoot Issues

Use advanced monitoring tools to track IPsec performance and identify potential security or connectivity problems.

  1. Enable IPsec audit logging for comprehensive troubleshooting:
    auditpol /set /subcategory:"IPsec Main Mode" /success:enable /failure:enable
  2. Monitor IPsec performance counters using Performance Monitor:
    • Open Performance Monitor (perfmon.exe)
    • Add counters from IPsec AuthIP IPv4 and IPsec AuthIP IPv6 objects
    • Focus on Main Mode Negotiations/sec and Main Mode Negotiation Failures
  3. Use Network Monitor or Wireshark to capture IKE traffic for detailed analysis:
    # Enable IPsec logging in Windows Firewall
Set-NetFirewallProfile -All -LogAllowed True -LogBlocked True -LogFileName 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log'
  4. Check for related error events that might indicate problems:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4960,4961,4962,4963; StartTime=(Get-Date).AddHours(-24)} | Select-Object Id, TimeCreated, LevelDisplayName, Message
  5. Validate certificate health for certificate-based authentication:
    Get-ChildItem -Path 'Cert:\LocalMachine\My' | Where-Object {$_.EnhancedKeyUsageList -like '*IP security*'} | Select-Object Subject, NotAfter, Thumbprint
05

Implement Advanced IPsec Monitoring and Alerting

Deploy comprehensive monitoring solutions to proactively track IPsec health and security across your infrastructure.

  1. Create custom PowerShell monitoring script for automated IPsec health checks:
    # IPsec Health Monitor Script
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4948,4960; StartTime=(Get-Date).AddMinutes(-15)} -ErrorAction SilentlyContinue
$SuccessCount = ($Events | Where-Object {$_.Id -eq 4948}).Count
$FailureCount = ($Events | Where-Object {$_.Id -eq 4960}).Count

if ($FailureCount -gt 5) {
    Write-EventLog -LogName 'Application' -Source 'IPsec Monitor' -EventId 1001 -EntryType Warning -Message "High IPsec failure rate detected: $FailureCount failures in 15 minutes"
}
  2. Configure Windows Event Forwarding to centralize IPsec events:
    • Set up Event Collector server with wecutil qc
    • Create subscription for Event ID 4948 across domain computers
    • Use XPath query: *[System[(EventID=4948)]]
  3. Implement SIEM integration for security correlation:
    # Export IPsec events in SIEM-friendly format
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4948} -MaxEvents 1000 | ConvertTo-Json -Depth 3 | Out-File 'C:\Logs\IPsec_SIEM_Export.json'
  4. Set up scheduled tasks for regular IPsec policy validation:
    $Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\IPsec-HealthCheck.ps1'
$Trigger = New-ScheduledTaskTrigger -Daily -At '06:00'
Register-ScheduledTask -TaskName 'IPsec Health Check' -Action $Action -Trigger $Trigger -User 'SYSTEM'
  5. Create custom performance counters for business-specific IPsec metrics using Windows Performance Toolkit
Pro tip: Correlate Event ID 4948 with network performance metrics to identify the impact of IPsec overhead on application performance.

Overview

Event ID 4948 fires when Windows successfully establishes an IPsec Main Mode security association (SA) between two network endpoints. This event appears in the Security log whenever the initial phase of IPsec negotiation completes successfully, creating the foundation for secure data transmission. Main Mode establishes the security parameters and cryptographic keys that will protect subsequent Quick Mode negotiations and actual data traffic.

This event is critical for organizations implementing IPsec policies for domain isolation, server isolation, or secure communications between branch offices. The event contains detailed information about the negotiated security parameters, including encryption algorithms, authentication methods, and the identities of both endpoints involved in the connection.

You'll typically see this event on domain controllers, VPN servers, and any Windows systems participating in IPsec-secured communications. The frequency depends on your IPsec policy configuration and network topology. Understanding this event helps validate that your IPsec infrastructure is functioning correctly and provides audit trails for security compliance requirements.

Frequently Asked Questions

What does Event ID 4948 mean and why is it important?+
Event ID 4948 indicates successful establishment of an IPsec Main Mode security association between two network endpoints. This event is crucial because it confirms that the initial phase of IPsec negotiation completed successfully, establishing the secure foundation for encrypted communications. The event provides detailed information about authentication methods, encryption algorithms, and endpoint identities, making it essential for security auditing, compliance reporting, and troubleshooting IPsec connectivity issues.
How often should I expect to see Event ID 4948 in my environment?+
The frequency of Event ID 4948 depends entirely on your IPsec policy configuration and network activity. In environments with domain isolation policies, you might see hundreds or thousands of these events daily as computers authenticate with each other. For site-to-site VPN connections, you'll typically see these events when tunnels establish or re-establish after maintenance. VPN environments might generate these events every few hours as security associations refresh. Monitor the baseline frequency in your environment to identify unusual patterns that might indicate security issues or policy changes.
What should I do if Event ID 4948 suddenly stops appearing?+
If Event ID 4948 stops appearing when you expect IPsec connections, this indicates a serious problem with your IPsec infrastructure. First, check if the IPsec Policy Agent service is running using 'Get-Service PolicyAgent'. Verify that your IPsec policies are still active with 'netsh ipsec static show all'. Look for corresponding error events like 4960 (IPsec negotiation failure) in the Security log. Check network connectivity between endpoints and ensure certificates haven't expired if using certificate-based authentication. Review any recent Group Policy changes that might have modified IPsec settings.
Can Event ID 4948 help me identify security threats or unauthorized access attempts?+
Yes, Event ID 4948 can be valuable for security monitoring when analyzed properly. Unexpected IPsec connections from unknown IP addresses might indicate unauthorized access attempts or compromised systems. Monitor for connections outside normal business hours or from geographic locations where your organization doesn't operate. Correlate these events with failed authentication attempts (Event ID 4960) to identify potential brute force attacks. However, remember that successful Event ID 4948 events represent legitimate, authenticated connections, so focus on anomalous patterns rather than the events themselves.
How can I use Event ID 4948 to troubleshoot IPsec performance issues?+
Event ID 4948 contains timing and algorithm information that helps diagnose IPsec performance problems. Frequent Main Mode negotiations might indicate SA lifetime settings are too short, causing unnecessary overhead. Compare the negotiated encryption algorithms in the event details with your policy requirements - weaker algorithms might be selected due to compatibility issues. Use PowerShell to analyze the time intervals between 4948 events to identify patterns. Correlate these events with network performance metrics to determine if IPsec overhead is impacting application performance. Monitor for gaps in expected 4948 events that might indicate connectivity interruptions.
Documentation

References (2)

1
Microsoft Learn - IPsec Security AssociationsOfficial Microsoft documentation covering IPsec security association concepts, configuration, and troubleshooting in Windows environments.https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/ipsec-security-associations
2
Windows Security Auditing Events ReferenceComprehensive reference for Windows security auditing events including detailed explanations of IPsec-related event IDs and their significance.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4948#ipsec-security#windows-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...