Microsoft-Windows-NlaSvc Error ID 4205
In my Window Server 2008 R2 OS in the Event Viewer there is an error pertains as Microsoft-Windows-Nlasvc Error ID 4205 states-(Gateway resolution failed on interface {d9470891-785a-4f67-82c7-53dc6646ad1ad} for o.o.o.o-[default gateway address] with error:0x57). What is this error? And What is the remedy for this error?MumthazMuhsin
October 21st, 2011 10:34am

Hi, May wanna check this article. Although the error is not exactly the same you may take a look A computer cannot identify the network when the computer is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2, and is a member of a child domain http://support.microsoft.com/kb/980873 Do you have gateway address assigned to all network interfaces? Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA7 | EA7 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 11:47am

I also see this event occuring repeatedly at a very high rate, polluting the event viewer so much that it makes it almost unusable, and that it generates too much disk activity. In fact this error has started since the time where my ISP has provided an IPv6 connectivity on its router (in addition to the existing IPv4 connectivity; in fact my ISP uses internally a proprietary Cisco tunnel to encapsulate the IPv6 traffic over the IPv4 connection over ADSL; the tunnel is established automatically by the router). Windows correctly gets an IPv6 address autoallocated in the IPv6 address block advertized by the router. Windows also attempts to use DHCPv6, but there's no DHCPv6 server implemented for now in the router (only the zero-config autoconfiguration is used). But the problem is that this IPv6 connectivity does not have any DNS server configured to be accessible by IPv6 (Windows also attempts to use DHCPv6 to get the DNSv6 address, but fails, and we are left without any DNS server on IPv6; it is not very important because the router implements a DNS proxy locally accessible on its IPv4 address, here 192.168.1.1, and name resolution is performed on this DNS server. Apparently, the NLA service of Windows does not detect that, on the PC, the hardware Ethernet interface is correctly configured with an IPv4 address (192.168.1.xx), a correct IPv4 address mask (255.255.0.0) to reach the default gateway (192.168.1.1) which is the router that also advertized the DNS server (192.16.8.1.1, i.e. the router itself as it is acting as a DNS proxy); but Windows has configured *both* a local-link IPv6 address (fe80:...) and correctly configured the Internet compatible (routable) IPv6 address (2001:...) within the correct IPv6 address block. But note that the router itself has *NO* IPv6 address for itself, so its DNS proxy is not reachable via IPv6. The network interface then has no DNS server for IPv6. Windows should continue to use the IPv4 DNS server, which can correctly resolve *both* IPv4 and IPV6 addresses for domain names, as well as performing the reverse resolution. The NLA Service however insists is trying to connect to an inexistant DNSv6 server, and constantly replies that it cannot identify the domain name of the IPv6 address, only because the NLA service still does not query the correct DNSv4 server which is configured on the same physical Ethernet network interface. I think this is a bug of the NLA service: it is perfectly valid for a network interface usable for Internet to have *no* DNSv6 server but only a DNSv4 server. Unfortunately, the NLA Service is spamming the Event viewer with lots of events (I get them by batches of 16 messages at the same time, with this Error ID 4205, every 10 seconds). This is really too much! The NLA service is unable to pace itself after the first failures. In fact it should not even log so many "Errors" in the Event viewer if it was doing things correctly. This is also a major performance problem (disk activity, slow responsiveness when listing the available networks, or when enumerating UPNP devices over the local network). Please Microsoft, correct the NLA service so that it will use the correct information and NOT require a DNSv6 server on an IPv6-enabled network interface, if it already has at least an IPv4 DNS server on the same network interface instance. It's true that nothing indicates that IPv4 and IPv6 will have the same routings, so the identification (by domain name) of the network may be different, but at least, in terms of security, the routable IPv6 address assigned to an interface should be treated like the routable IPv4 address on the same interface. So if you don't have a configured DNSv6 to get the name of the assigned IPv6 address, you should use the configured DNSv4 to query the name of the assigned routable IPv6 address (2001:...). Note: the local-link IPv6 address (fe80:...) is never routable, it will have no name except for local-link applications, and if there's a DNS server running and serving the local network. You may want to detect if this local link address has a name, but in fact this is superfluous: on the local ink, we are in the world of the "Residential Homegroup", and hosts are identified via the Microsoft networking protocol (SMB/CIFS) even if there's no DNS configured on the LAN. For all these reasons, I had to disable the logging of "Microsoft/Windows/NlaSvc" in the Event viewer. It is completely useless, uninformative (because it also indicates the network interfaces concerned only by their internal device driver instance UUID, without any indication of its informative name, and the message provides absolutely no hint about which query exactly failed, if this was an attempt to connect to a DNSv6 server, and which DNS server was attempted). Nobody will be able to use the event message data found in this Error ID:4205.
November 30th, 2011 11:18am

Guys, this is the scenario that I face. I use a HSDPA Mobile broaband connection for internet and only IPV4 connectivity (IPV6 is unchecked in network connection properties). This happens maybe once or twice daily and the whole system hangs up. Nothing works and I have to power off the system and power it on again. All i remember changing is try the google DNS Server and then set it back to obtain automatically. I note the following error once before a whole pile of the above error - The DNS proxy Server was unable to allocate 0 bytes of memory Apart from that nothing else remotely related to this error but yes, it does clog up the event viewer. Any ideas?
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2012 9:43am

The simplest thing is to disable completely the error reporting made by NlsSvc (disable this bogous source of too many unneeded events). Open Start Menu > admin Tools > Events Viewer Select in the left column: Events Viewer (local) > Applications and Services Logs > Microsoft > Windows > NlaSvc > Operational In the right column (Actions), click: Properties to open the logging properties for this NlaSvc/Operational log. In the properties dialog, in the first "General" tab, there's a check box "Enable logging", uncheck it. Click the "Clear log" button to clear its existing content, then click "Validate" to apply the disabled logging. ---- Disabling the logging in NlsSvc does not affect security (but this improves Windows performance, notably if those logged events are really too frequent and in fact unsolvable just like in this problem, where it is caused by a bug of NlaSvc. The NlaSvc incorrectly assumes that if you have an internet access on a physical interface, and that interface supports a DNS client configuration, and that interface also supports an IPv6 connectivity, this connectivity extends to the Internet and includes the configuration of an existing DNS server also accessible in IPv6 (this is wrong : you can have a full IPv6 connectivity, even with routing to the Internet, but still no DNS server configured and accessible with an IPv6 address; you can perfectly configure and use a DNS server that is only reachable by its IPv4 address to perform IPv6 resolutions, such as getting AAAA records from a domain name, or performing an inverse resolution from an IPv6 address to an identifiable canonical domain name). Due to this assumption, the NlaSvc is trying to get an IPv6 address of a DNS server, but can't get any one, and still continues to repeatedly get such configuration and logging the error constantly). But such logging may only be useful for debugging problems in the NlaSvc in specific local network configurations containing various interdomain gateways. Home users don't care about this service, most of the time, unless they have a specific hardware in their LAN configured for example to allow external accesses (e.g. to access your medias from a secure entry points, or for allowing remote administration of these devices and their integration in the Windows desktop). Most of the time, this debugging is a temporary need only : if you don't debug this, you can disable the logging in those Windows services. ---- You may finally delete the huge file that stored these dummy unnecessary events (the location of the file is indicated in the properties dialog, but by default it was configured by default in the folder "%SystemRoot%\System32\Winevt\Logs" where it is named "Microsoft-Windows-NlaSvc%4Operational.evtx". You may visit the content of the "%SystemRoot%\System32\Winevt\Logs" folder to see which logs are unnecessarily long (check the associated services in the Events Viewer to see why their size became too large. In may just happen that their default maximum size (configured also in the "Properties" dialog within the Events Viewer) is in fact too large: check the last events you have, ignore those that are too old, look at their frequency. You probably don't need to leave them grow at a so large size, most services can use small logs, so configure them in their minimum allowed in the Properties dialog The minimum you can define for the maximum size of each events storage file is 64 KB for the few logs in text format, and 1028 KB for logs in "*.evtx" format (this is the events logging format used by almost all Windows builtin services in Windows 7/8) : when you clear an events log, its restarts to a minium size of 68KB and then grows as necessary up to this maximum, according to the policy defined in the Properties dialog. Some events logs are preconfigured in Windows to grow to a larger size than 1028KB : this is the case of the standard system logs that are configured to grow up to 20 MB (but if your clear them, they will restart at the initial empty size of 68KB (which is 64KB for an initial index and the first page of logs containing infos about when the log was created or cleared, by whom, and the policies you have defined (including restrictions of access to view them).
June 9th, 2012 1:54pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics