Forced reboot after PIM installation-Cause analysis request

book

Article ID: 194586

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

Server crashe/forced reboot with dump.

Environment

Release : 12.8

Component : CA ControlMinder

Resolution

From engineering:

I have gone through the crash dump provided by the Customer. It looks like PIM drivers have nothing to do with this particular crash event. The inference drawn from the analysis clearly tells that. Also to my surprise at the time of crash PIM interceptions, including all, were in a full passive state. Don't know, either through registry settings or due to some other issue our drivers were not intercepting anything during the time of crash. The call stack on processor 2 that finally brought down the system clearly shows no presence of our driver interception anywhere. The stack points to a crash happening in some OS level calls due to a chain of other events. Oracle.exe application thread invokes several IO calls into the TCP/IP networking stack that finally ends up in the crash within Tcpip.sys system function calls. Our PIM driver are loaded but rather in a passive state.

Please ask the customer to investigate the following.

1) There is a corruption happening somewhere in the header of TCP receive memory segment. Could be that this corruption was caused by some other driver.

2) Oracle.exe is consuming a high memory and at the same time continuously communicating with the network stack. Is this normal ?

3) Customer has installed an anti-malware, anti-spyware, Firewall ...etc inclusive software suite from Ahnlab inc. (i.e. AhnLab V3 Internet Security ).
Ahnlab software has three core driver running in tandem, TSFLTDRV.sys, ascrts.sys and MeDCoreD.sys. Customer should keep an eye on these three drivers too. Nothing is indicative that these three drivers
could have possibly caused this event but I could see them running on processor 0.