000036072 - Receive Segment Coalescing causes hangs with Windows Updates and ECAT agents in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Mar 6, 2018Last modified by RSA Customer Support Employee on Nov 4, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036072
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition:, 4.2.0.x,,
Platform: Windows
Product Name: RSA-0015013
Product Description: ECAT Host Perp License (per host)
IssueWhen IPv4 or more likely IPv6 interfaces in Windows operating systems have the flag set for RSC support which is considered an optional setting, the WFP driver hangs causing the service host to hang during a Windows Update, preventing the system from proceeding and mimicking a hung state on the server.
CauseRSC is affected by a known Windows bug and happens when the base filtering engine interacts with svchost.exe which is expecting the WFP network driver to support RSC and enters a hung state waiting for the service to initialize.
ResolutionThere are a few ways to resolve this issue:
  1. Disable RSC on all interfaces that have it enabled. Enable-NetAdapterRsc, Disable-NetAdapterRsc, Get-NetAdapterAdvancedProperty, and Set-NetAdapterAdvancedProperty can be used to check and remove the RSC flag from a network interface.
  2. Reboot the servers, since it only hangs following a Windows Update
  3. Disable the WFP driver
  4. Upgrade to the most recent version of the Endpoint Agent.