Multiple CAVA issues being reported

Hello NotStopIsilonProblems,

Have you looked at chapter 2 of Dell EMC CEE Using the Common Event Enabler on Windows Platforms guide? https://dell.to/3ebtFU1

hello

thank you for reply

yes I have been through the chapters looking for anything that I may have missed but can't see anything obvious.

Wondering if next week when we apply 9.1.0.8 and reboot the nodes if that will resolve it?

9093438 Hello NotStopIsilonProblems,

There are some changes that are going to be applied in 9.1.0.8. I am not sure if they will resolve your specific issue.

We have the same errors even on OneFS Version: 9.2.1.14

Enabled the DEBUG / Verbose options on the  CEE server  (v8.9.7.1) / DTD version 2.3.0

https://www.dell.com/support/kbdoc/en-uk/000043513

Ignore the old VNX References and just enable the CEE debug on the AV host

then use MS DEBUGVIEW to see all the messages / scans and errors in real time or output to file 

We see these errors pop up about the same time as the Isilon Alerts trigger - but so far unconfirmed

- would be interesting to know if you see the same   

CCEECore::CheckHeartBeat AV Returning AV HB Result: 13 - ERROR AV INTERFACE

IOCTL_FSCVIR_CHECK_UNCPATH failure= e0000034(hex)

Dell are investigating under an SR - will update if we find a root cause or cure

So further update - one thing that makes a BIG difference is an old requirement from the VNX - as its related to the Windows Server Caching the Folder it has been by DELL as definitely still relevant - it was not in the earlier Isilon Config guides - might be in newer later versions.

Basically the Windows Server is using a cached view of the Folder - so if files are changed / deleted rapidly the cache is out of date and we get the File not found error - this is sent back to the Isilon as a Windows CEE "event" and triggers an AV Server Warning / Alert.

Still looking into the Health state of some of the AV Servers dropping to POOR - and how to spread the CAVA AV Workload as some servers seem to get saturated but there seems to be no way to change the way the Isilon distribute the workload - or increase the 5 Threads that each Isilon node starts to the 4 Target CAVA Servers. This means in our case with not all nodes being front end and engaging in the CAVA AV we only have 4 Active Isilon Nodes (with 5 threads) * 4 AV Server connections 

To avoid this condition, you must disable the directory cache on the machines on which CAVA and AV
engines are running by using the following procedure:

1. Open the Windows Registry Editor and navigate to HKLM\System\CurrentControlSet\Services\LanmanWorkstation
\Parameters.
2. Right-click Parameters and select New > DWORD Value.
3. For the new REG_DWORD entry, type a name of DirectoryCacheLifetime.
4. Set the value to 0 to disable DirectoryCacheLifetime.
5. Click OK.
6. Restart the machine