Event ID 5452

An IPsec quick mode security association ended. 

An IPsec quick mode security association ended.

Local Endpoint:
    Network Address:    %1
    Port:           %2
    Tunnel Endpoint:        %3

Remote Endpoint:
    Network Address:    %4
    Port:           %5
    Tunnel Endpoint:        %6

Additional Information:
    Protocol:       %7
    Quick Mode SA ID:   %8


Event 5452 is logged when an established IPsec Quick Mode security association (SA) expires or is terminated. The event is intentionally minimal, containing only the fields necessary to identify which SA ended without restating the cryptographic details already captured during establishment.

Auditing:     Rarely

Enable only when diagnosing IPsec SA lifecycle issues, auditing encrypted host-to-host session durations for compliance, or correlating IPsec teardowns with application disconnections.


Volume:     High

Every SA establishment produces a corresponding teardown. On any active IPsec environment, expect a 1:1 ratio of 5452 to 5451 events over time, with the same high-volume characteristics on busy servers running domain isolation or DirectAccess.




Name Field Insertion String OS Example
Local Network Address Local Network Address %1 Any 10.40.1.123
Local Port LocalPort %2 Any 0
Local Tunnel Endpoint LocalTunnelEndpoint %3 Any -
Remote Network Address RemoteAddress %4 Any 10.40.1.112
Remote Port RemotePort %5 Any 3389
Remote Tunnel Endpoint Remote Tunnel Endpoint %6 Any -
Protocol Protocol %7 Any 6
Quick Mode SA ID QuickModeSaId %8 Any 59

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"IPsec Quick Mode"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022 Windows 2025

Audit Category:
Logon/Logoff

Audit Subcategory:
IPsec Quick Mode

LEFT/RIGHT arrow keys for navigation

Back to List