Event ID 4653 — An IPsec main mode negotiation failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec main mode negotiation failed.

Message #

An IPsec main mode negotiation failed.

Local Endpoint:
	Local Principal Name: %1
	Network Address: %3
	Keying Module Port: %4

Remote Endpoint:
	Principal Name: %2
	Network Address: %5
	Keying Module Port: %6

Additional Information:
	Keying Module Name: %7
	Authentication Method: %10
	Role: %12
	Impersonation State: %13
	Main Mode Filter ID: %14

Failure Information:
	Failure Point: %8
	Failure Reason: %9
	State: %11
	Initiator Cookie: %15
	Responder Cookie: %16

Fields #

Name	Description
`LocalMMPrincipalName` UnicodeString	[Local Endpoint] Local Principal Name
`RemoteMMPrincipalName` UnicodeString	[Remote Endpoint] Principal Name
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Remote Endpoint] Keying Module Port
`KeyModName` UnicodeString	[Additional Information] Keying Module Name
`FailurePoint` UnicodeString	[Failure Information] Failure Point
`FailureReason` UnicodeString	[Failure Information] Failure Reason Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`MMAuthMethod` UnicodeString	[Additional Information] Authentication Method
`State` UnicodeString	[Failure Information] State.
`Role` UnicodeString	[Additional Information] Role.
`MMImpersonationState` UnicodeString	[Additional Information] Impersonation State
`MMFilterID` UInt64	[Additional Information] Main Mode Filter ID
`InitiatorCookie` UnicodeString	[Failure Information] Initiator Cookie
`ResponderCookie` UnicodeString	[Failure Information] Responder Cookie
`Local_Principal_Name` UnicodeString	[Local Endpoint] Local Principal Name.
`Principal_Name` UnicodeString	[Remote Endpoint] Principal Name.
`Network_Address` UnicodeString	[Local Endpoint] Network Address.
`Keying_Module_Port` UInt32	[Local Endpoint] Keying Module Port.
`Keying_Module_Name` UnicodeString	[Additional Information] Keying Module Name.
`Failure_Point` UnicodeString	[Failure Information] Failure Point.
`Failure_Reason` UnicodeString	[Failure Information] Failure Reason. Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Authentication_Method` UnicodeString	[Additional Information] Authentication Method.
`Impersonation_State` UnicodeString	[Additional Information] Impersonation State.
`Main_Mode_Filter_ID` UInt64	[Additional Information] Main Mode Filter ID.
`Initiator_Cookie` UnicodeString	[Failure Information] Initiator Cookie.
`Responder_Cookie` UnicodeString	[Failure Information] Responder Cookie.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4653,
    "version": 0,
    "level": 0,
    "task": 12547,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2026-03-13T23:09:45.572614+00:00",
    "event_record_id": 16633999,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 13940
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalMMPrincipalName": "-",
    "RemoteMMPrincipalName": "-",
    "LocalAddress": "10.2.10.11",
    "LocalKeyModPort": 500,
    "RemoteAddress": "10.2.20.41",
    "RemoteKeyModPort": 500,
    "KeyModName": "%%8223",
    "FailurePoint": "%%8199",
    "FailureReason": "New policy invalidated SAs formed with old policy\r\n",
    "MMAuthMethod": "%%8194",
    "State": "%%8202",
    "Role": "%%8205",
    "MMImpersonationState": "%%8217",
    "MMFilterID": 72917,
    "InitiatorCookie": "abd97649c27753ac",
    "ResponderCookie": "0000000000000000"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4653
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4653