000035825 - Kernal Drive Error 0xe001000f in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Dec 14, 2017Last modified by RSA Customer Support Employee on May 9, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035825
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition:,, 4.2.x,,,, 4,4.0.3, 
Platform: Windows
O/S Version: Windows
IssueOccasionally a driver error code of 0xe001000f is reported by the kernel driver of the endpoint agent and recorded in the db for the agent. This results in a disabled kernel driver and reduced endpoint visibility.
CauseThis is caused by a variety of factors. One of the below known causes is the UMA to KMA agent heartbeat error. This occurs due to synchronization being lost following a timeout error. Per engineering :
Added Synchronization in the driver to make sure timeout for connection doesn't happen while resuming from sleep
ResolutionUpgrade to  for the permanent fix to the heartbeat error

If running a version equal or newer than the above versions and still experiencing persistent 0xe001000f errors, a new case should be opened to investigate the root cause of the error generated.
WorkaroundThe workaround to this issue is to reboot the offending agent. When the agent is rebooted, the kernel state on the endpoint is cleared, and the agent reports back the KMA is online(status code 0x00000000) which will then show as online without error. This does not mean the error could not recur but does show following reboot that the KMA started and is running normally.