I am developing a simple firewall using WFP. I have two ALE callouts, Connect and Recv/Accpt. I can see ALE AUTH packets arriving in the connect callout, I queue them for out of band processing and in this case just “allow everything” while I am getting the thing stable. The MS documentation says that if you mark an AUTH as pending, queue it for later processing, and then complete the AUTH this will automatically trigger a REAUTH which will be collected by the same callout function that collected the AUTH.

I complete the AUTH, but no REAUTH arrives.

The filter that I have applied to the shim states only that localIP = value of local IP.
I can see all AUTHS coming in, and I can see me completing the AUTHS out of band, but still not REAUTHS.

Any ideas?

Thanks in advance.