A conflict between VMware vShield filter driver VSEPFLT.sys and other miniport drivers causes slow or unresponsive performance

Technical Articles ID:   KB86938
Last Modified:  11/28/2016
Rated:




Environment


McAfee VirusScan Enterprise (VSE) 8.8
McAfee Management for Optimized Virtual Environments (MOVE)
McAfee MOVE AntiVirus (AV) Agentless 4.x, 3.x
VMware vShield




Summary


This article describes an issue originally reported on Windows 2012 and Windows 2012 R2 servers involving slow or unresponsive performance with the VMware Endpoint vsepflt.sys driver.  

This conflict with the VMware Endpoint vsepflt.sys driver has been seen with any miniport filter driver on Windows 2012 and Windows 2012 R2 servers on various platforms.





Problem


A miniport filter driver conflict occurs between the VMware Endpoint vsepflt.sys driver running on Windows 2012 and Windows 2012 R2 servers running in VMware ESXi hosts. The server performance becomes slow and unresponsive.

 





Cause


The VMware vShield Endpoint driver performs the I/O operation for the images running with this driver. When loaded multiple times into memory this leads to a performance issue.

The VMware vShield Endpoint filter driver (VSEPFLT.sys), when loaded can create timing issues because of file locks.





Solution


Verify that the symptoms you see are caused by a driver conflict

  1. Open a command prompt.
  2. Run the following command:
FLTMC This lists running filter drivers. If you have the issue, the vsepflt will show multiple running instances, similar to the following:
Filter NameNum InstancesAltitudeFrame
vsepflt4329998(Legacy)

 



Remove the VMware vShield Endpoint driver (vsepflt.sys)

NOTE: When installing VMware Tools on a Windows operating system, the Thin Agent (vsepflt.sys) is not installed by default; this is only installed as part of the FULL installation of VMware Tool.

  1. Open a command prompt.
  2. Run the following command:

    fltmc unload vsepflt

    Unloading vsepflt might resolve the issue. If it does not, continue to step 3.
     
  3. Uninstall the VMware Tools and reinstall with the TYPICAL option. 

NOTE: If additional support is required beyond uninstalling, open a VMware Support Request, for the product vShield Endpoint or NSX File Introspection Driver (vsepflt.sys) and refer to VMware article 2006985: http://kb.vmware.com/kb/2006985



 






Workaround

To resolve this temporarily, restart the Windows server.


------------------------------------------------------------

Windows VM with NSX Network Introspection driver lose TCP connectivity (2148218)

Last Updated: 5/19/2017Categories: Troubleshooting



undefinedundefined Symptoms



  • Windows VM with NSX Network Introspection driver (vnetflt.sys) connected to USVM (Guest Introspection SVM) loses temporary TCP network connectivity for new connections.

  • Running dmesg command on the USVM console to show the logs, you see entries similar to:
    Out of memory: Kill process <process_id> (java) score <score> or sacrifice child

  • In the NSX Manager log, you see entries similar to:
    Code:'260007'
    Event Message: 'Lost communication with ESX module.'





undefinedundefined Cause


NSX Network Introspection driver (vnetflt.sys) is used to send Network related events to USVM through Multiplexor (MUX). Network events obtained in USVM is used in Activity Monitoring and Identity Firewall.
The driver collects TCP connectivity event and push it to USVM. Since there is memory leak issue in the underlying connection between MUX and USVM, USVM event manager process is restarted due to out of memory. While the event manager process is restarting, TCP connecting event processing stays incomplete for a while and may result connectivity issue in Windows VM.




undefinedundefined Resolution



This issue is resolved in:


To work around this issue if you do not want to upgrade, disable the NSX Network Introspection driver.


To disable the vnetflt.sys driver:

Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.


  1. Connect to the affected virtual machine with a console or RDP sessions.
  2. Click Start > run, type regedit and click OK.
  3. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vnetflt\
  4. Right-click the Start key and select Modify.
  5. Change the value to 4 and click OK.
  6. Close the Registry Editor Window.
  7. Reboot the virtual machine.

Notes:

  • If you are using Agentless AV only, disabling the NSX Network Introspection Driver does not affect Agentless AV functionality.
  • If you have IDFW, use the Active Directory Event Log Scraper instead of USVM. For more information on the Event Log Scraper, see the Identity Firewall Overview section of the NSX Administration Guide.







undefinedundefined Related Information



You experience these additional symptoms:

ESXi syslog contains entries similar to: