Article Number
000001490
Applies To
RSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 4.3.0.4, 4.3.0.5, 4.2.x, 4.4.0.0, 4.4.0.1, 4.4.0.2, 4,4.0.3,
Platform: Windows
O/S Version: Windows
Issue
Occasionally a driver error code of 0xe001000f is reported by the kernel driver of the endpoint agent and recorded in the database for the agent. This results in a disabled kernel driver and reduced endpoint visibility.
Cause
This is caused by a variety of factors. The
specific issue addressed in this article is the UMA to KMA agent heartbeat error. This occurs due to synchronization being lost following a timeout error. Per RSA Engineering:
Added Synchronization in the driver to make sure timeout for connection doesn't happen while resuming from sleep
NOTE: This is referring to only ONE cause of the 0xe001000f error, as this is a catch-all error code; it can be caused by a variety of factors, and future instances of this error need to be investigated independently.
Resolution
Upgrade to 4.4.0.5 for the specific fix to the
heartbeat error
If running a version equal or newer than the above version(4.4.0.5) and still experiencing persistent 0xe001000f errors, contact
RSA Customer Support to open a new case to investigate the root cause of the error generated.
Workaround
The workaround to this issue is to reboot the offending agent. When the agent is rebooted, the kernel state on the endpoint is cleared, and the agent reports back the KMA is online (status code 0x00000000), which will then show as online without error. This does not mean the error could not recur, but it does show, following a reboot, that the KMA started and is running normally.