Event ID - 4870

Event Id4870
SourceMicrosoft-Windows-FailoverClustering
DescriptionUser mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the '%1' process with a process ID '%2', for '%3' seconds. Recovery action will be taken.
Event Information According to Microsoft :

Cause :

This event is logged when User mode health monitoring has detected that the system is not being responsive.

Resolution :

Discover process that is draining resources or otherwise slowing down the node

The health monitoring process that is part of failover clustering has detected that system responsiveness has slowed. If you do not currently have Event Viewer open, see "Opening Event Viewer and viewing events related to failover clustering." Using the information from the event, review the applications and services running on the node to discover which process is draining resources or otherwise slowing down the node. You can use one or more of the following methods:

Use Task Manager. For more information, see "Using Task Manager to work with applications or services consuming large amounts of memory."

Generate a System Diagnostics Report, which will present system information collected for 60 seconds. This may take several minutes if the system is critically low on resources. For more information, see "Generating a System Diagnostics Report."

Use Resource Monitor to determine, in real-time, how many system resources a service or application is utilizing. This may take several minutes if the system is critically low on resources.

To perform the following procedures, you must be a member of the local Administrators group on each clustered server, or you must have been delegated the equivalent authority.

Using Task Manager to work with applications or services consuming large amounts of memory

To use Task Manager to work with applications or services consuming large amounts of memory:
  1. Press Ctrl+Shift+ESC to open Task Manager.
  2. On the Processes tab, click the column header to sort by Memory (Private Working Set) . Click the column header again to reverse the sort order.
  3. Use the list to identify applications or services consuming the most memory.
  4. If appropriate, close an application or service:
    Attempt to close an identified application normally by exiting the application.
If the application is unresponsive, on the Applications tab in Task Manager, click the application you want to close and then click End Task. Windows will attempt to close the application normally. You might be prompted to save your work. Note that in low resource conditions, this step can take several seconds.

If Windows cannot close the application normally, you will be prompted to end the process. Ending a process can cause data loss.

Generating a System Diagnostics Report

To generate a System Diagnostics Report:
  1. Open an elevated Command Prompt. Click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .
  2. Type perfmon /report and press ENTER. Reliability and Performance Monitor will start collecting data to create the System Diagnostics Report.
  3. When the report is ready for viewing, locate the Diagnostic Results section of the report and check for any Warnings . You can follow links to additional help on resolving warnings from this section. In addition, you can expand each category in the Basic System Checks section to see more details about why warnings appear. Also, the Performance section provides process-level detail about top consumers of resources.
Starting Resource Monitor

To start Resource Monitor:

Important : Resource Monitor stops collecting information while a System Diagnostics Report is being generated. To start collecting information after a System Diagnostics Report has completed, in Monitor , click Start .
  1. Open an elevated Command Prompt. Click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .
  2. Type perfmon /res and press ENTER. Resource Monitor will start running.
  3. Four scrolling graphs in the Resource Overview pane display the real-time usage of CPU, Disk, Network, and Memory. Four expandable sections below the graphs contain process-level detail about each resource. Click the resource labels to see more information, or click a graph to expand its corresponding details. You can use the real-time usage information to identify top resource consumers. Click a column heading to sort the data in the table by that column; click the column heading again to reverse the sort order.
Opening Event Viewer and viewing events related to failover clustering

To open Event Viewer and view events related to failover clustering:
  1. If Server Manager is not already open, click Start , click Administrative Tools , and then click Server Manager . If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue .
  2. In the console tree, expand Diagnostics, expand Event Viewer , expand Windows Logs , and then click System .
  3. To filter the events so that only events with a Source of FailoverClustering are shown, in the Actions pane, click Filter Current Log . On the Filter tab, in the Event sources box, select FailoverClustering . Select other options as appropriate, and then click OK .
  4. To sort the displayed events by date and time, in the center pane, click the Date and Time column heading.
Verify :

Use Performance Monitor to confirm that system resources are not being drained and the node is functioning normally.
Reference LinksEvent ID 4870 from Microsoft-Windows-FailoverClustering

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.