cancel
Showing results for 
Search instead for 
Did you mean: 
sssyyy
Level 12

NMI error on ESM Virtual Appliances

Has anyone experienced NMI errors on virtual ESM appliances? Basically the VM dies/stops responding, sometimes it will cover by itself, else only a hard reset via vCentre can fix it.

Running on version 9.6.0 MR8.

Thanks.

Capture.JPG

0 Kudos
9 Replies
sssyyy
Level 12

Re: NMI error on ESM Virtual Appliances

Anyone got answers for this?

0 Kudos
sssyyy
Level 12

Re: NMI error on ESM Virtual Appliances

Anyone got answers for this?

0 Kudos
akerr
Level 9

Re: NMI error on ESM Virtual Appliances

We are experiencing similar issues.  Was happening on 9.6.0 MR5 and is happening again on 10.0.3

We are running on a CentOS 7 host running the KVM virtual machines.  I opened an SR with McAfee on it.

0 Kudos
sssyyy
Level 12

Re: NMI error on ESM Virtual Appliances

Me too. But couldn't find a solution by McAfee Support.

0 Kudos
akerr
Level 9

Re: NMI error on ESM Virtual Appliances

We may have found a solution.  As I mentioned, we're running ours on Linux via KVM.  I don't know if this will help on other platforms.  It seems to have fixed out problem and the VMs that were crashing immediately stopped after the fix was applied, no reboot of the host or VM was required.

echo never > /sys/kernel/mm/transparent_hugepage/defrag 
sync && echo 3 > /proc/sys/vm/drop_caches

This change can be made permanent by adding the following cronjob:

@reboot echo never > /sys/kernel/mm/transparent_hugepage/defrag 
@monthly sync && echo 3 > /proc/sys/vm/drop_caches

We're not 100% sure yet if the drop caches part is needed or not.

0 Kudos
sssyyy
Level 12

Re: NMI error on ESM Virtual Appliances

Thanks. Your first part of commands seemed to worked, but cronjob gives me bash: @reboot: command not found, and @monthly: command not found.

Any idea why? I tried this on the SIEM VM CLI.

0 Kudos
akerr
Level 9

Re: NMI error on ESM Virtual Appliances

The cronjobs and the fix need to be applied to the host, not the McAfee VM.  I should have been more clear on that.

We haven't implemented the monthly cronjob as we want to see if that one is actually necessary or not first, as it will impact performance, at least when it's run.

The @reboot command should work in root's own crontab file, or if you're doing it in the system crontab (/etc/crontab), you'd need to indicate the user to run it (in this case root) so:

@reboot root echo never > /sys/kernel/mm/transparent_hugepage/defrag

0 Kudos
sssyyy
Level 12

Re: NMI error on ESM Virtual Appliances

Oh, applied to the host, which in your case is the KVM or in my case vCentre? and not on the McAfee SIEM VMs?

0 Kudos
akerr
Level 9

Re: NMI error on ESM Virtual Appliances

Correct, not on the McAfee VMs, the host OS.

0 Kudos