02-04-2019 07:58 AM - edited 02-20-2020 09:07 PM
Windows Server 2012 R2, fully updated, physical server. Installed AMP connector version 6.2.5.10848 last night. Since then the server has crashed/rebooted twice. Seeing several event ID 36887 Schannel errors since the install - "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.". I have since stopped and disabled the AMP service. Any help with this would be appreciated.
Thanks
02-04-2019 08:04 AM
I recommend getting the DMP file from the crash, an AMP Diagnostic File and opening a TAC case so we can look into this issue. I haven't heard of any crashes on 6.2.5 so I don't have any suggestions without the data aside from potentially disabling various services to see if you can figure out which one is causing the crashes.
The dump is typically in %SystemRoot%\Memory.dmp
The diagnostic file generation directions are here:
Thanks,
Matt
02-04-2019 12:20 PM
Two more servers have crashed now. Looks like AMP may be causing high CPU usage and eventual crash. Seeing lots of these log entries right before the server shuts down:
[3784]: ERROR: Event::SlowProcessor unable to calculate hash using handle (file path)
02-04-2019 12:25 PM
As I mentioned earlier, I suggest opening a TAC case with the associated support files so an Engineer can take a closer look. This could just be an issue of adding proper exclusions.
Thanks,
Matt
02-05-2019 10:23 AM
I'm having the exact same issue since upgrading to 6.2.5. Not just server OS though. I've had both servers and workstations BSOD. It seems random. I have opened a TAC case, but no real luck yet. I've had to uninstall AMP from the servers as the crash happens, because the BSOD comes back, and these are production servers. Hopefully a fix is found soon...
02-05-2019 10:25 AM
I did see the case Tray and our Developers are actively looking into this.
Thanks,
Matt
02-05-2019 10:30 AM
Thanks, Matt! I've added the mini dump files to the case, hopefully that will help. I couldn't upload the full memory dump files because they range between 300MB-1GB...
02-05-2019 10:34 AM
You should be able to upload files up to 250GB through the Support Case Manager.
https://mycase.cloudapps.cisco.com/case
If you have issues with that, please try the Case File Uploader (250GB).
https://cway.cisco.com/csc/
Uploading via email only allows for 20MB attachments. Hope that helps.
Thanks,
Matt
02-05-2019 10:51 AM
Sweet! I didn't realize that, uploading the full memory dumps now.
02-05-2019 10:52 AM
tonynray, have you found any correlation between your machines that are crashing? I have not. Server 2008 r2, 2012 r2, 2016, physical, VM - all are effected. The majority of my servers with AMP installed are not having problems, but the ones that do crash quite often.
02-05-2019 10:55 AM
I have not. 4 total machines - 2 VMs, 2 physical, 2 Server 2012 R2, 1 Server 2008 R2, 1 Windows 7 Pro... So far it's just these 4 that I've found (out of 2500 machines). But just in case, I have uninstalled AMP from my core production servers just to prevent crashes.
02-05-2019 10:57 AM
I'm assuming these are all on version 6.2.5? Any problems with previous versions?
02-05-2019 10:58 AM
Correct. The issues have only started after upgrading to 6.2.5. Although, one of the servers has crashed again after doing a clean uninstall/reboot/reinstall, not upgrade.
02-05-2019 11:20 AM
A bug has been opened for this issue. Should be visible within the next 24 hours. I suggest monitoring it for updates if you don't have a case open.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo24869
Thanks,
Matt
02-07-2019 02:16 PM
Is there a way to force a downgrade? I assume if I select a 6.1.x version it would downgrade the clients accordingly? This issue is reported on all 6.2.x versions so I don't want them running any version of 6.2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide