cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8201
Views
30
Helpful
21
Replies

AMP causing server to crash/reboot?

phonehome
Level 1
Level 1

Windows Server 2012 R2, fully updated, physical server. Installed AMP connector version 6.2.5.10848 last night. Since then the server has crashed/rebooted twice. Seeing several event ID 36887 Schannel errors since the install - "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.". I have since stopped and disabled the AMP service. Any help with this would be appreciated.

 

Thanks

21 Replies 21

Matthew Franks
Cisco Employee
Cisco Employee

I recommend getting the DMP file from the crash, an AMP Diagnostic File and opening a TAC case so we can look into this issue.  I haven't heard of any crashes on 6.2.5 so I don't have any suggestions without the data aside from potentially disabling various services to see if you can figure out which one is causing the crashes.

 

The dump is typically in %SystemRoot%\Memory.dmp

The diagnostic file generation directions are here: 

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118228-technote-fireamp-00.html

 

Thanks,

Matt

 

 

Two more servers have crashed now. Looks like AMP may be causing high CPU usage and eventual crash. Seeing lots of these log entries right before the server shuts down:

 

[3784]: ERROR: Event::SlowProcessor unable to calculate hash using handle (file path)

As I mentioned earlier, I suggest opening a TAC case with the associated support files so an Engineer can take a closer look.  This could just be an issue of adding proper exclusions.

 

Thanks,

Matt

tonynray
Level 1
Level 1

I'm having the exact same issue since upgrading to 6.2.5. Not just server OS though. I've had both servers and workstations BSOD. It seems random. I have opened a TAC case, but no real luck yet. I've had to uninstall AMP from the servers as the crash happens, because the BSOD comes back, and these are production servers. Hopefully a fix is found soon...

I did see the case Tray and our Developers are actively looking into this.

 

Thanks,

Matt

Thanks, Matt! I've added the mini dump files to the case, hopefully that will help. I couldn't upload the full memory dump files because they range between 300MB-1GB...

You should be able to upload files up to 250GB through the Support Case Manager.
https://mycase.cloudapps.cisco.com/case

If you have issues with that, please try the Case File Uploader (250GB).
https://cway.cisco.com/csc/

Uploading via email only allows for 20MB attachments.  Hope that helps.

 

Thanks,

Matt

Sweet! I didn't realize that, uploading the full memory dumps now.

tonynray, have you found any correlation between your machines that are crashing? I have not. Server 2008 r2, 2012 r2, 2016, physical, VM - all are effected. The majority of my servers with AMP installed are not having problems, but the ones that do crash quite often.

I have not. 4 total machines - 2 VMs, 2 physical, 2 Server 2012 R2, 1 Server 2008 R2, 1 Windows 7 Pro... So far it's just these 4 that I've found (out of 2500 machines). But just in case, I have uninstalled AMP from my core production servers just to prevent crashes.

I'm assuming these are all on version 6.2.5? Any problems with previous versions?

Correct. The issues have only started after upgrading to 6.2.5. Although, one of the servers has crashed again after doing a clean uninstall/reboot/reinstall, not upgrade.

A bug has been opened for this issue.  Should be visible within the next 24 hours.  I suggest monitoring it for updates if you don't have a case open.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo24869

 

Thanks,

Matt

Is there a way to force a downgrade?  I assume if I select a 6.1.x version it would downgrade the clients accordingly? This issue is reported on all 6.2.x versions so I don't want them running any version of 6.2.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: