5125 Warning in Hyper-V Cluster


Recently I had to engage with an issue of on of my customer with related to Hyper-V cluster. Basically what i got to know is that the cluster was showing a warning message saying that “ Cluster Shared Volume  ‘Volume 2’ has identified one or more active filter drivers on this device stack that could interface with CSV operations. I/O access will be redirected to the storage device over the network through another Cluster node. This may result  in degraded performance. Please contact the filter driver vendor to verify interoperability with Cluster Share Volume”. Figure 1.0 shows the warning screen. However, below are the steps which i did to solve the issue  to make customer happy.



                                                                                 Figure 1.0


In addition to that the mentioned CSV volume shows as Redirected Access which is very slowand cannot change it the way other two volume works as direct mode (Refer to Figure 1.1 and 1.12). Redirected access is used in well planned situations where you need to perform certain disk actions that can’t have multiple nodes accessing and locking files concurrently, such as a VSS backup.



Figure 1.1



Figure 1.2

CSV is a technology in Microsoft Failover Clusters that allows all nodes of a cluster to access the same disk at the same time. CSV is implemented as a filter driver. Microsoft has confirmed that a Cluster will put a CSV in redirected mode if a filter’s Altitude is not an integer value some times when you run third-party applications in a Windows Server 2008 R2-based cluster. However, the same scenarios happens in Windows 2012 R2 as well in my case. so the only option is to identify the legacy filter drivers and remove it from the list.

Therefore,  to identify what is the Legacy Filter driver, I have ran the below command in PowerShell as shown in Figure 1.3


Run the PowerShell in Administrator mode and run the command  C:\Windows \system32\fltmc filters

Once you run the command identified the Legacy driver.



Figure 1.3


Then when I check the filter name and noticed that, this is relate to a GFI Endpopint Security Software. When the internal team push the policy of the GFI, they have pushed the policies to Hyper-V cluster nodes as well. Due to this reason, the mentioned CSV volume has been redirected and cannot simply uninstall from the nodes it self. Therefore, the GFI had to uninstall from GFI console it self. Please refer to the Figure 1.4.



Figure 1.4


Once you uninstall, run the same command back in PowerShell and verify that the Legacy Driver is no more there. Refer to Figure 1.5.




Figure 1.5


Once it is done check back the Cluster Console and verify the CSV status is in online mode.


Figure 1.6