ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Network security operations center showing IPsec tunnel monitoring and Windows security event logs
Event ID 4977InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4977 – Microsoft-Windows-Security-Auditing: IPsec Main Mode Security Association Established

Event ID 4977 indicates successful establishment of an IPsec Main Mode security association between two endpoints, confirming secure tunnel creation for encrypted network communication.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4977Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Windows generates Event ID 4977 when the IPsec subsystem successfully completes Main Mode negotiation and establishes a security association. This occurs during the first phase of IPsec tunnel establishment where two endpoints authenticate each other and agree on security parameters including encryption algorithms, authentication methods, and key exchange protocols.

The event contains detailed information about both endpoints including IP addresses, authentication methods used (certificates, pre-shared keys, or Kerberos), encryption algorithms selected, and the lifetime of the established security association. This data proves invaluable for security auditing and troubleshooting IPsec connectivity issues.

Main Mode security associations serve as the foundation for subsequent Quick Mode negotiations that establish the actual data encryption tunnels. Without successful Main Mode establishment logged by Event 4977, no secure data transmission can occur between the endpoints. The event helps administrators verify that IPsec policies are working correctly and that secure communications are being established as intended.

In Windows Server 2025 and Windows 11 24H2, Microsoft enhanced the event logging to include additional cipher suite information and improved correlation with related network events, making it easier to track the complete IPsec negotiation process.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Successful IPsec VPN client connection to a VPN server
  • Site-to-site IPsec tunnel establishment between branch offices
  • Windows Firewall with Advanced Security enforcing connection security rules
  • DirectAccess client establishing secure connection to corporate network
  • Always On VPN profile triggering automatic IPsec tunnel creation
  • Manual IPsec policy activation through netsh commands or Group Policy
  • Third-party IPsec-compatible applications initiating secure connections
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand the IPsec connection parameters.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4977 using the filter option
  3. Double-click the most recent Event 4977 entry
  4. Review the General tab for basic information
  5. Click the Details tab and select XML View for complete data
  6. Note the following key fields:
    • LocalAddress and RemoteAddress - endpoint IP addresses
    • AuthenticationMethod - how endpoints authenticated
    • CipherAlgorithm and HashAlgorithm - encryption details
    • KeyLength - encryption key size
    • LifetimeSeconds - SA validity period
Pro tip: Compare the authentication method and algorithms with your IPsec policy to verify correct negotiation.
02

Query IPsec Events with PowerShell

Use PowerShell to efficiently query and analyze IPsec Main Mode events across multiple systems.

  1. Open PowerShell as Administrator
  2. Query recent Event 4977 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4977} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Extract detailed IPsec information:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4977} -MaxEvents 10
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    Write-Host "Time: $($Event.TimeCreated)"
    Write-Host "Local IP: $($EventData | Where-Object {$_.Name -eq 'LocalAddress'} | Select-Object -ExpandProperty '#text')"
    Write-Host "Remote IP: $($EventData | Where-Object {$_.Name -eq 'RemoteAddress'} | Select-Object -ExpandProperty '#text')"
    Write-Host "Auth Method: $($EventData | Where-Object {$_.Name -eq 'AuthenticationMethod'} | Select-Object -ExpandProperty '#text')"
    Write-Host "---"
}
  4. Check for corresponding deletion events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4978} -MaxEvents 10 | Format-Table TimeCreated, Message -Wrap
03

Analyze IPsec Policy Configuration

Verify that the established security associations match your configured IPsec policies.

  1. Check current IPsec policies using netsh:
    netsh ipsec static show all
  2. Review Windows Firewall connection security rules:
    Get-NetIPsecRule | Format-Table DisplayName, Enabled, Direction, Action
  3. Examine active IPsec security associations:
    netsh ipsec dynamic show all
  4. For Windows Server environments, check Group Policy IPsec settings:
    • Open Group Policy Management Console
    • Navigate to Computer ConfigurationWindows SettingsSecurity SettingsIP Security Policies
    • Verify assigned policies match the authentication methods in Event 4977
  5. Cross-reference event details with policy configuration:
    Get-NetIPsecMainModeSA | Format-Table LocalEndpoint, RemoteEndpoint, AuthenticationMethod, CipherAlgorithm
Warning: Modifying IPsec policies can disrupt existing secure connections. Test changes in a lab environment first.
04

Monitor IPsec Performance and Health

Implement comprehensive monitoring to track IPsec tunnel health and performance metrics.

  1. Create a PowerShell script for continuous IPsec monitoring:
    # IPsec-Monitor.ps1
$LogFile = "C:\Logs\IPsec-Monitor.log"
while ($true) {
    $NewEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4977; StartTime=(Get-Date).AddMinutes(-5)} -ErrorAction SilentlyContinue
    foreach ($Event in $NewEvents) {
        $XML = [xml]$Event.ToXml()
        $EventData = $XML.Event.EventData.Data
        $LogEntry = "$(Get-Date): New IPsec SA - Local: $($EventData[0].'#text') Remote: $($EventData[1].'#text')"
        Add-Content -Path $LogFile -Value $LogEntry
    }
    Start-Sleep -Seconds 300
}
  2. Set up Windows Performance Toolkit counters:
    Get-Counter "\IPSec Connections\Active Tunnels" -Continuous
  3. Monitor IPsec-related registry keys for policy changes:
    HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Policy\GPTIPSECPolicy
  4. Create scheduled task for regular IPsec health checks:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\IPsec-Monitor.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At 9am
Register-ScheduledTask -TaskName "IPsec Health Monitor" -Action $Action -Trigger $Trigger
05

Advanced Troubleshooting with Network Traces

Perform deep packet analysis when IPsec establishment issues require detailed investigation.

  1. Enable IPsec audit logging for detailed troubleshooting:
    auditpol /set /subcategory:"IPsec Main Mode" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Quick Mode" /success:enable /failure:enable
  2. Start network packet capture during IPsec negotiation:
    netsh trace start capture=yes provider=Microsoft-Windows-IPsec tracefile=C:\Traces\ipsec.etl
  3. Reproduce the IPsec connection and stop the trace:
    netsh trace stop
  4. Analyze the trace file using Network Monitor or Wireshark to examine IKE packets
  5. Enable IPsec diagnostic logging:
    HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging = 1
  6. Review IPsec logs in %SystemRoot%\debug\oakley.log
  7. Use PowerShell to correlate network events with security events:
    $StartTime = (Get-Date).AddHours(-1)
$IPsecEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4977,4978,5049; StartTime=$StartTime}
$NetworkEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-Network'; StartTime=$StartTime}
# Correlate events by timestamp and IP addresses
Pro tip: Network traces can be large. Use filters to capture only IPsec-related traffic on ports 500 and 4500.

Overview

Event ID 4977 fires when Windows successfully establishes an IPsec Main Mode security association (SA) between two network endpoints. This event appears in the Security log whenever IPsec negotiation completes the first phase of establishing a secure tunnel. Main Mode is the initial IPsec negotiation phase where endpoints authenticate each other and establish shared encryption keys.

This event typically occurs during VPN connections, site-to-site IPsec tunnels, or when Windows Firewall with Advanced Security enforces IPsec policies. The event contains crucial details about the security association including authentication methods, encryption algorithms, and endpoint information. System administrators monitor this event to verify IPsec tunnel establishment and troubleshoot connectivity issues.

Event 4977 appears alongside related IPsec events like 4978 (Main Mode SA deleted) and 5049 (IPsec SA was deleted). Understanding this event helps administrators validate network security policies and diagnose IPsec-related connection problems in enterprise environments.

Frequently Asked Questions

What does Event ID 4977 mean and why is it important?+
Event ID 4977 indicates successful establishment of an IPsec Main Mode security association between two network endpoints. This event confirms that the first phase of IPsec tunnel creation completed successfully, including mutual authentication and encryption parameter negotiation. It's important because it validates that your IPsec policies are working correctly and secure communications can be established. Without this event, you won't see subsequent Quick Mode negotiations that handle actual data encryption.
How can I tell if my IPsec VPN connections are working properly using Event 4977?+
Monitor Event 4977 occurrences when VPN clients connect. Each successful VPN connection should generate this event with the client's IP address as the remote endpoint and your VPN server as the local endpoint. Check that the authentication method matches your VPN configuration (certificates, pre-shared keys, or Kerberos). If you see Event 4977 followed by Event 4978 (SA deleted) shortly after, investigate potential connection issues. Use PowerShell to query these events and verify the timing aligns with expected VPN connection patterns.
What authentication methods appear in Event 4977 and what do they mean?+
Event 4977 displays several authentication methods: Certificate-based authentication shows when endpoints use digital certificates for mutual authentication, providing the strongest security. Pre-shared key authentication indicates both endpoints share a secret key configured manually. Kerberos authentication appears in domain environments where endpoints authenticate using Active Directory credentials. Anonymous authentication (rare) occurs when no mutual authentication is required. The authentication method in the event should match your IPsec policy configuration.
Why do I see multiple Event 4977 entries for the same connection?+
Multiple Event 4977 entries for the same endpoints can occur due to security association rekeying, where IPsec automatically renews encryption keys before they expire. This is normal behavior that maintains security. You might also see multiple entries if the connection drops and re-establishes, or if multiple IPsec policies apply to the same traffic flow. Check the LifetimeSeconds field in each event to understand the SA renewal schedule. Frequent re-establishments might indicate network instability or misconfigured lifetime values.
How do I troubleshoot missing Event 4977 when IPsec should be working?+
Missing Event 4977 indicates IPsec Main Mode negotiation is failing. First, verify IPsec audit logging is enabled using 'auditpol /get /subcategory:"IPsec Main Mode"'. Check for Event 4976 (Main Mode negotiation failed) which provides failure reasons. Verify both endpoints have compatible IPsec policies including matching authentication methods and encryption algorithms. Use 'netsh ipsec dynamic show all' to check active policies. Network connectivity issues, firewall blocking ports 500/4500, or certificate problems can prevent Main Mode establishment. Enable IPsec diagnostic logging and review oakley.log for detailed negotiation information.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including IPsec-related eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
IPsec Configuration and Troubleshooting GuideOfficial Microsoft documentation for configuring and troubleshooting IPsec connectionshttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4977#ipsec-security#network-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...