NagiosXI Network Maxed

[scottwilkerson]

Ok, so both this command and the tcpdump show no connections at all to 180.188.20.33 from Nagios XI server

[abishop]

pfsense says otherwise. How I got this far ,and confirmed it is, as follows:

Noticed network was slow, rebooted router.
Seemed fine, day later slow again. This time I looked at the firewall logs and LAN/WAN charts to see my internal network outgoing was maxed as well as WAN outgoing maxed. Per the logs, able to see the source as being the XI box host to the 180.188.20.33 address.
We shut down the XI box, and the network goes back to normal.
To eliminate the Hyper-V host, we moved the VM to another host.
Turned XI VM back on, network flooded.
Created a firewall rule within pfsesnse to block the destination from leaving internal.
Called Nagios, and created this forum request.

[scottwilkerson]

How much traffic is pfsense saying is going there?

when you did the tcpdump, did you let it run for 5-10 minutes like our post said?

[abishop]

How much traffic is pfsense saying is going there?

when you did the tcpdump, did you let it run for 5-10 minutes like our post said?

Enough traffic that our normal 5-10 meg outbound maxed to 100 meg

Yes I did. I started it, and completed a digital fingerprint for a customer. Which was at least 5 mins.

[scottwilkerson]

As we don't have anything builtin that connects to that address you may want to consider deploying a new XI instance and restoring a backup

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

[abishop]

As we don't have anything builtin that connects to that address you may want to consider deploying a new XI instance and restoring a backup

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

I have done so, so far we are good. I will give it some time and update this post.

Thank you for your help thus far!!!!

[scottwilkerson]

As we don't have anything builtin that connects to that address you may want to consider deploying a new XI instance and restoring a backup

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

I have done so, so far we are good. I will give it some time and update this post.

Thank you for your help thus far!!!!

Sounds good!

[abishop]

All seems to be right in the world. After investigating today, I discovered the IP XI self assigned belonged to our old FTP server. There were still some active NAT rules which could have allowed the outside world in. I'm blaming that as being the root cause.

Thank you very much for your help.

Very Merry Happy Holidays all!

[scottwilkerson]

All seems to be right in the world. After investigating today, I discovered the IP XI self assigned belonged to our old FTP server. There were still some active NAT rules which could have allowed the outside world in. I'm blaming that as being the root cause.

Thank you very much for your help.

Very Merry Happy Holidays all!

Great! Glad you have it solved!

Locking thread