Hi, I have Vista Home Basic and using Vista firewall. I amhaving wired internet access.While going through firewall log, I found many entries which indicate incoming packets on port 67 from IP 0.0.0.0. As I understand DHCP offer and acknowledge responsesshould bereceived on port 68. Can this be one of the reasons for experiencing frequent connection drop outs?Systemevent log shows multiple entries with event ID 1003 - "Your computer was not able to renew its address from the network (from the DHCP Server)..."Hoping that packets dropped are actually DHCP Offer and ACK packets, I have tried to allow inbound traffic on port 67 by adding custom rule. But still firewall log shows that packets are dropped. Kindly advice.

Hi, Thank you for your post. Based on my research, I would like to suggest the following: 1. Reset Windows Firewall settings to default and see if it works. 1)Click the Start Button. 2)In the search bar type wf.msc and press Enter. 3)Right-click the root Windows Firewall with Advanced Security on Local Computer and choose Restore Defaults. 4)When the promote appears, click Yes. 2. Please go to firewall log and check which firewall rule blocked this communication. Please also provide us the log if it is possible. 3. Go to Windows Firewall with Advanced Security Outbound Rules, then check if the rule Core Networking - Dynamic Host Configuration Protocol (DHCP-Out) has been enabled. If the issue persists, please also collect the following information for our further research: Collect the MPS Report: ============== 1. Download the MPS Report Tool from the following link: http://download.microsoft.com/download/f/0/4/f047169c-6357-47f3-835c-2665d6426e66/MPSRPT_PFE.EXE 2. After the download is complete, double-click this "MPSRPT_PFE.EXE" file. When you are prompted "Include the MSINFO32 report?", please input Y to continue. After a while, a CAB file will be generated. 3. Open My Computer, browse to the "%systemroot%\MPSReports\PFE\CAB" folder. You can find the CAB file above. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and share its URL with us. Hope this helps. Thanks. Nicholas Li - MSFT

Thanks Nicholas for your suggestions...As suggested, I did restore windows firewall settings to default.I noticed that by default Vista does not log successful/dropped connections. So i had to enable firewall logging for "Private" profilevia Windows Firewallwith Advanced Security -> Windows Firewall Properties -> Private Profile Tab -> Customize Logging.After enabling logging I checked pfirewall.log and found following entries.2009-06-14 18:15:10 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE2009-06-14 18:15:14 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE2009-06-14 18:15:21 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE2009-06-14 18:16:31 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVEThere are many warning in the event log with event ID 5032 - "Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network"Ican alsoconfirm thatOutbound and Inbound DHCP rules are enabled.Please let me know your thoughts on this.I will upload MPS report and share URL with you tomorrow.

Hi, Thank you for your update. Regarding Event ID 5032, please refer to the following document and try the method: Event ID 5032 Firewall Service Block Notifications http://technet.microsoft.com/en-us/library/cc733407.aspx Meanwhile, to verify the exact network traffic that is blocked by the Windows firewall, please enable the Windows Firewall Audit Events on the Windows Vista computer and then check the issue. 1. Restore the default settings in the firewall profile. 2. In the command prompt, type the following command. You can copy and paste this command into the Command Prompt window: auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable 3. Restart the Windows Firewall service by typing the following commands, ending each by pressing ENTER: net stop MPSSVC net start MPSSVC 4. Then, run the command in a elevated command prompt: ipconfig /renew After this, verify the event log in the Event Log--->Security. 5. What specific traffic is blocked by the Windows Firewall? To get a whole Windows Firewall audit event list, you may refer to: 947226 Description of security events in Windows Vista and in Windows Server 2008 http://support.microsoft.com/kb/947226 Enable IPsec and Windows Firewall Audit Events http://technet.microsoft.com/en-us/library/cc754714(WS.10).aspx Hope this helps. Thanks. Nicholas Li - MSFT

Hi Nicholas,As per your suggestion, I enabled Windows Firewall Audit Events. I renewed my IP address couple of times and then disabled audit events.I checked security event log for event ID 5152 (packet block)and 5157 (connection block) but couldn't find any DHCP related entries (ports 67/68).There are events indicating outboud connection being allowed from port 68 of my machine (event ID 5156).Does this mean that packet drop logs in pfirewall.log can be ignored?Also I want to clarify one more thing. If direction is "Inbound" in event log, am I correct in assuming that source IP is the IP ofsender machine?Thanks again for your invaluable assistance,Regards,Dhiren

Hi Dhiren, Thank you for updating. I just would like to know if you have check the document and try the solutions: Event ID 5032 Firewall Service Block Notifications http://technet.microsoft.com/en-us/library/cc733407.aspx After trying the method above, if the issue persists, please alsocollectthe MPS Reportand share it with us. After getting the information, we will help you check it and perform some further researches. Thank you for your time and efforts. Nicholas Li - MSFT