Event ID 16 — NAP Agent Communication with the Enforcement Client

  • Article

Applies To: Windows Server 2008 R2

The Network Access Protection (NAP) Agent service must be able to communicate with an installed enforcement client in order to provide the enforcement client with health status and receive information about the level of network access granted to the client computer.

Event Details

Product: Windows Operating System
ID: 16
Source: Microsoft-Windows-NetworkAccessProtection
Version: 6.1
Symbolic Name: NAP_EVENT_MISMATCHING_ID
Message: A packet has been received with an unexpected correlation of %1 instead of %2.

Resolve

Determine the cause of latency

This error condition indicates that Network Policy Server (NPS) has been very slow to return a response to the client, causing the client to invalidate the statement of health response (SoHR). To investigate and repair this condition:

  • Evaluate system health validator (SHV) processing performance on the server running NPS.
  • If latency is isolated to one or more SHVs, then disable these SHVs and contact the SHV vendor.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Evaluate NPS performance

To evaluate the performance of the server running NPS:

  1. On the server running NPS, click Start, click Run, type perfmon.msc, and then press ENTER.
  2. In the Reliability and Performance Monitor console tree, click Reliability and Performance.
  3. Under Resource Overview, review the CPU, disk, network, and memory usage of the server running NPS.
  4. In the console tree, click Performance Monitor.
  5. Right-click the Performance Monitor display area, and then click Add Counters.
  6. Under Select counters from computer, confirm that <Local computer> is selected, and then click NPS System Health Validators.
  7. Expand NPS System Health Validators to display available SHV counters.
  8. Confirm that all SHV counters are selected, and that under Instances of selected object, <All instances> is selected.
  9. Click Add, and then click OK.
  10. In the display area, click the name of a counter to review, and record the values of Last, Average, Maximum, Minimum, and Duration.
  11. Monitor values for identical counters between different SHVs by clearing all check boxes under Show except for the counters you want to monitor.
  12. Compare data for the Shv Last Round-Trip Time counter among SHVs to determine if latency is isolated to one or more SHVs.
  13. If all SHVs display similar latency, use Performance Monitor to evaluate Network Interface and System counters.
  14. If latency is isolated to one or more SHVs, see the procedure titled "To disable SHV requirements in network policy."

Important: Save the current NPS configuration before proceeding. When the NPS configuration is saved to a file, you can restore it after the problem with your SHV has been resolved. To save the NPS configuration, see the procedure titled "To export the NPS configuration to a file."

Disable SHVs

To disable SHV requirements in network policy:

  1. On the server running NPS that is responsible for evaluating the health of NAP client computers, click Start, click Run, type nps.msc, and then press ENTER.
  2. In the console tree, double-click Policies, and then click Health Policies.
  3. In the details pane, right-click each policy, and then click Properties.
  4. Under SHVs used in this health policy, clear the check box next to one or more installed SHVs, and then click OK. You must leave at least one SHV enabled.
  5. After disabling individual SHVs, review events on NAP client computers and the server running NPS to determine if SoH processing has improved. If there has been no improvement, enable SHVs again by selecting them in your health policies.
  6. Alternatively, if network policies are configured with conditions that match multiple health polices, use the following steps to remove these conditions and their associated SHVs:
    1. Click Network Policies, right-click a network policy used to evaluate NAP client computers, and then click Properties.
    2. Click the Conditions tab, click a health policy condition, click Remove, and then click OK.
    3. After removing health policy conditions from network policies, review events on NAP client computers and the server running NPS to determine if SoH processing has improved. If there has been no improvement, restore the health policy conditions to network policy.
  7. Contact your SHV vendor for support to repair the affected SHVs.
  8. When SHVs have been repaired, restore the original NPS configuration using the procedure titled "To import the NPS configuration from a file."

Save and restore NPS configuration

To export the NPS configuration to a file:

  1. On the server running NPS, click Start, right-click Command Prompt, and then click Run as administrator.
  2. In the command window, type netsh nps export filename = "c:\config.xml" exportPSK = YES, and then press ENTER.
  3. This will save the current NPS configuration to the c:\config.xml file. You can change the location and name of this file.

To import the NPS configuration from a file:

  1. On the server running NPS, click Start, right-click Command Prompt, and then click Run as administrator.
  2. In the command window, type netsh nps import filename = "c:\config.xml", and then press ENTER.
  3. This will overwrite the current NPS configuration with the configuration saved in the c:\config.xml file. Change the location and name of this file to match the saved configuration file created in the preceding procedure.

Verify

To verify that NAP enforcement clients are installed and initialized:

  1. On the NAP client computer, click Start, point to All Programs, click Accessories, and then click Command Prompt.
  2. In the command window, type netsh nap client show configuration, and then press ENTER.
  3. If the client computer's NAP configuration is determined by Group Policy, type netsh nap client show grouppolicy, and then press ENTER.
  4. In the command output, under Enforcement clients, verify that the enforcement clients listed for your deployment are correct, and that the enforcement clients in use on your network have an Admin value of Enabled.
  5. In the command window, type netsh nap client show state, and then press ENTER.
  6. In the command output, under Enforcement client state, verify that all enforcement clients listed for your deployment are correct, and that the enforcement clients that are enabled on the client computer have an Initialized value of Yes.

NAP Agent Communication with the Enforcement Client

NAP Infrastructure