NCPA listener starts, but not listening

[hbouma]

I have installed NCPA 2.1.5 on SLES 11 SP4 64bit. The installer works fine and the issue blocking the reboot of the ncpa_listener was fixed in this new version. However, after install, the system isn't listening on port 5693.
$ /etc/init.d/ncpa_listener status
NCPA Listener: Service is running. (pid 5834)

$ netstat -a | grep 5693

$ netstat -a | grep ncpa

$ more /usr/local/ncpa/etc/ncpa.cfg | grep port
# IP address and port number for the Listener to use for the web GUI and API
# Default: port = 5693
port = 5693

There are no errors listed in the ncpa_listener.log file
$ cat /usr/local/ncpa/var/log/ncpa_listener.log
2018-06-21 08:56:39,835 5834 INFO started
2018-06-21 08:56:39,836 5834 INFO Using SSL version TLSv1_2

We have verified that there is no firewall rules on the network side to block this. We have also disabled the local firewall to test if that may be the issue.

Does anyone have any ideas on how to move forward with this?

[scottwilkerson]

how about?

Code: Select all

netstat -nlp|grep 5693

[hbouma]

It does show listening, but we get a connection refused at every attempt to reach the server.

$ netstat -nlp | grep 5693
tcp 0 0 0.0.0.0:5693 0.0.0.0:* LISTEN 22055/ncpa_listener

$ telnet XXXXXX 5693
Trying XXXXXXX ...
telnet: connect to address XXXXXXX: Connection refused

[scottwilkerson]

it requires SSL

how about this

Code: Select all

curl https://XXXXXXX:5693/ -k

[hbouma]

curl https://xxxxxxx:5693/ -k
curl: (35) Encountered end of file

When trying to hit it from the NagiosXI GUI, I get:
"Unable to contact server at https://XXXXXXXXX:5693/testconnect?token=XXXXXXX"


FYI, both responses are near instantaneous. This rules out a network firewall problem, and confirms that it isn't timing out when attempting to communicate.

[scottwilkerson]

can you run this on the server with NCPA installed

Code: Select all

curl https://localhost:5693/ -k

[hbouma]

Now that gives some additional information

$ curl https://localhost:5693/ -k
curl: (35) Unknown SSL protocol error in connection to localhost:5693

I am running curl 7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.7 libidn/1.10

When I change the ncpa.cfg from ssl_version = TLSv1_1 to ssl_version = TLSv1 and restarted the NCPA_Listener. I still receive the same error.

Also get the error when I tell curl to force TLSv1
$ curl https://localhost:5693/ -k -1
curl: (35) Unknown SSL protocol error in connection to localhost:5693

Updated log file:
2018-06-21 11:02:20,586 21761 INFO started
2018-06-21 11:02:20,587 21761 INFO Using SSL version TLSv1_2
2018-06-21 11:02:25,070 21761 INFO stopped
2018-06-21 11:02:25,655 22055 INFO started
2018-06-21 11:02:25,656 22055 INFO Using SSL version TLSv1_2
2018-06-21 12:03:05,408 22055 INFO stopped
2018-06-21 12:03:05,993 10417 INFO started
2018-06-21 12:03:05,993 10417 INFO Using SSL version TLSv1
2018-06-21 12:11:44,618 10417 INFO stopped
2018-06-21 12:11:45,207 14257 INFO started
2018-06-21 12:11:45,208 14257 INFO Using SSL version TLSv1
2018-06-21 11:02:20,586 21761 INFO started
2018-06-21 11:02:20,587 21761 INFO Using SSL version TLSv1_2
2018-06-21 11:02:25,070 21761 INFO stopped
2018-06-21 11:02:25,655 22055 INFO started
2018-06-21 11:02:25,656 22055 INFO Using SSL version TLSv1_2
2018-06-21 12:03:05,408 22055 INFO stopped
2018-06-21 12:03:05,993 10417 INFO started
2018-06-21 12:03:05,993 10417 INFO Using SSL version TLSv1
2018-06-21 12:11:44,618 10417 INFO stopped
2018-06-21 12:11:45,207 14257 INFO started
2018-06-21 12:11:45,208 14257 INFO Using SSL version TLSv1

[scottwilkerson]

Ok, so you couldn't connect from outside but can from on the server, this is telling me that there is some sort of firewall blocking either on the server or a hardware firewall.

Can you ping this IP from the XI server?

[hbouma]

I can ping.

Based on some additional research I see the following:

From server with NCPA
$ curl -v https://localhost:5693/
* About to connect() to localhost port 5693 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 5693 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* TLSv1.0, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to localhost:5693
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to localhost:5693

Also from server with NCPA
openssl s_client -connect localhost:5693 -tls1
CONNECTED(00000003)
write:errno=104

From Nagios XI server
$ curl -v https://xxxxxxx:5693/
* About to connect() to xxxxxxx port 5693 (#0)
* Trying XXX.XXX.XXX.XXX...
* Connected to miokwebsvt01 (XXX.XXX.XXX.XXX) port 5693 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file

Also from Nagios XI server
openssl s_client -connect xxxxxxxx:5693 -tls1
CONNECTED(00000003)
140069711628176:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1529609798
Timeout : 7200 (sec)
Verify return code: 0 (ok)

[scottwilkerson]

From Nagios XI server
$ curl -v https://xxxxxxx:5693/

You would need to pass the insecure flag because you do not have a proper key on here, it is just a self signed key

That's what I had the -k flag when I sent it to you
so the following would be more useful

Code: Select all

$ curl -v -k https://xxxxxxx:5693/