Windows virtual machines using the vShield Endpoint TDI Manager or NSX Network Introspection Driver (vnetflt.sys) driver fails with a blue diagnostic screen
search cancel

Windows virtual machines using the vShield Endpoint TDI Manager or NSX Network Introspection Driver (vnetflt.sys) driver fails with a blue diagnostic screen

book

Article ID: 330831

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vDefend Firewall

Issue/Introduction

Symptoms:

  • The virtual machine fails with a blue diagnostic screen.
  • The dump analysis and call stack in windbg contains entry similar to:
HTTP_DRIVER_CORRUPTED (fa) : The HTTP kernel driver (http.sys) reached a corrupted state and can not recover.
  • The dump analysis and call stack in windbg contains entry similar to:
BAD_POOL_CALLER (c2) 
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
  • In the /vmfs/volumes/datastore/virutal_machine/vmware.log file, you see entries similar to:
WinBSOD: ( 4) `The HTTP kernel driver (http.sys) reached a corrupted state and can not recover.'
<snip>
WinBSOD: (24) `Technical information:'
WinBSOD: (26) `*** STOP: 0x000000FA (0x00000001,0x8A7C8390,0xBA23BCA6,0x00000C10)'
WinBSOD: (26) `*** STOP: 0x000000FA (0x00000001,0x8A7C8390,0xBA23BCA6,0x00000C10)'
WinBSOD: (29) `*** HTTP.sys - Address BA23BCA6 base at BA234000, DateStamp 4af41bca'


Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.   
  • The virtual machine is running the Windows Server 2003 or 2003R2 operating system.
  • The virtual machine is running one of these VMware Tools versions:
8.6.15
9.0.15
9.4.11 or later
For more information on determining the VMware Tools version installed, see Verifying a VMware Tools build version (1003947).

Environment

VMware vSphere ESXi 6.0
VMware NSX for vSphere 6.0.x
VMware vSphere ESXi 5.1
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.2.x
VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.5

Resolution

This is a known issue affecting VMware vSphere ESXi 5.x, ESXi 6.0 and NSX 6.x.
 
Currently, there is no resolution.
 
Note: The vnetflt.sys driver supports the NSX for vSphere Activity Monitoring Feature. However, it is not used by any vShield Endpoint functionality.
 
When the vSphere Activity Monitoring Feature with NSX Guest Introspection is not used, disabling the vShield Endpoint TDI Manager does not affect any vShield Endpoint functionality.
 
To workaround this issue, disable the vnetflt.sys driver:

To disable the vnetflt.sys driver:
 
Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine.
  1. Connect to the affected virtual machine with a console or RDP sessions.
  2. Click Start > run, type regedit and click OK.
  3. Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vnetflt\
     
  4. Right-click the Start key and select Modify.
  5. Change the value to 4 and click OK.
  6. Close the Registry Editor Window.
  7. Reboot the virtual machine.


Additional Information



Powered by Wolken Software