NagiosXI Network Maxed
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: NagiosXI Network Maxed
Ok, so both this command and the tcpdump show no connections at all to 180.188.20.33 from Nagios XI server
Re: NagiosXI Network Maxed
pfsense says otherwise. How I got this far ,and confirmed it is, as follows:
Noticed network was slow, rebooted router.
Seemed fine, day later slow again. This time I looked at the firewall logs and LAN/WAN charts to see my internal network outgoing was maxed as well as WAN outgoing maxed. Per the logs, able to see the source as being the XI box host to the 180.188.20.33 address.
We shut down the XI box, and the network goes back to normal.
To eliminate the Hyper-V host, we moved the VM to another host.
Turned XI VM back on, network flooded.
Created a firewall rule within pfsesnse to block the destination from leaving internal.
Called Nagios, and created this forum request.
Noticed network was slow, rebooted router.
Seemed fine, day later slow again. This time I looked at the firewall logs and LAN/WAN charts to see my internal network outgoing was maxed as well as WAN outgoing maxed. Per the logs, able to see the source as being the XI box host to the 180.188.20.33 address.
We shut down the XI box, and the network goes back to normal.
To eliminate the Hyper-V host, we moved the VM to another host.
Turned XI VM back on, network flooded.
Created a firewall rule within pfsesnse to block the destination from leaving internal.
Called Nagios, and created this forum request.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: NagiosXI Network Maxed
How much traffic is pfsense saying is going there?
when you did the tcpdump, did you let it run for 5-10 minutes like our post said?
when you did the tcpdump, did you let it run for 5-10 minutes like our post said?
Re: NagiosXI Network Maxed
scottwilkerson wrote:How much traffic is pfsense saying is going there?
when you did the tcpdump, did you let it run for 5-10 minutes like our post said?
Enough traffic that our normal 5-10 meg outbound maxed to 100 meg
Yes I did. I started it, and completed a digital fingerprint for a customer. Which was at least 5 mins.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: NagiosXI Network Maxed
As we don't have anything builtin that connects to that address you may want to consider deploying a new XI instance and restoring a backup
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
Re: NagiosXI Network Maxed
scottwilkerson wrote:As we don't have anything builtin that connects to that address you may want to consider deploying a new XI instance and restoring a backup
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
I have done so, so far we are good. I will give it some time and update this post.
Thank you for your help thus far!!!!
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: NagiosXI Network Maxed
Sounds good!abishop wrote:scottwilkerson wrote:As we don't have anything builtin that connects to that address you may want to consider deploying a new XI instance and restoring a backup
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
I have done so, so far we are good. I will give it some time and update this post.
Thank you for your help thus far!!!!
Re: NagiosXI Network Maxed
All seems to be right in the world. After investigating today, I discovered the IP XI self assigned belonged to our old FTP server. There were still some active NAT rules which could have allowed the outside world in. I'm blaming that as being the root cause.
Thank you very much for your help.
Very Merry Happy Holidays all!
Thank you very much for your help.
Very Merry Happy Holidays all!
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: NagiosXI Network Maxed
Great! Glad you have it solved!abishop wrote:All seems to be right in the world. After investigating today, I discovered the IP XI self assigned belonged to our old FTP server. There were still some active NAT rules which could have allowed the outside world in. I'm blaming that as being the root cause.
Thank you very much for your help.
Very Merry Happy Holidays all!
Locking thread