The Windows Filtering Platform has blocked a bind to a local port

You may notice event 5159 being logged on your Windows 2008 Server(s) indicating a connection has been blocked/dropped, etc.
The Process ID will indicate which application was blocked (tasklist /SVC can be used to get details on running PID's) and which protocol was involved.

The actual enforcement of the firewall rules is done by WFP through traffic filters derived from the firewall policy.
To further troubleshoot this you can enable WFP auditing and monitor the event viewer to see what is happening in WFP while you reproduce the problem that you want to troubleshoot.

One common event we have observed is where the initial attempt is made using UDP (protocol 17) which is blocked and then a second attempt is made using TCP which is allowed, this is typical of Kerberos traffic which first tries UDP and then attempts TCP if UDP fails.

By default the drop is not logged, so you should really only see this event if one of the Audit subcategories (Filtering Platform Packet Drop) has been turned on.

To enable WFP auditing:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Main Mode" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Quick Mode" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Extended Mode" /success:enable /failure:enable

...Repro the failure, go to the Security event log and monitor for the events.

To disable WFP auditing:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: disable
auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure: disable
auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable

 

See also:

Many 5159 events are logged in the Security event log after you disable Windows Firewall and enable the "Filtering Platform Connection" auditing policy
http://support.microsoft.com/kb/969257