Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Changed host IP now get SSL handshake failed from NRPE

https://support.nagios.com/forum/viewtopic.php?t=46328

Page 2 of 2

Re: Changed host IP now get SSL handshake failed from NRPE

Posted: Wed Nov 29, 2017 12:14 pm
by ScottG
NMAP shows it open.

Code: Select all

[root@nagiosxi libexec]# nmap 10.33.16.39 -p 5666

Starting Nmap 6.47 ( http://nmap.org ) at 2017-11-29 10:51 CST
Nmap scan report for redrad01.uark.edu (10.33.16.39)
Host is up (0.0012s latency).
PORT     STATE SERVICE
5666/tcp open  nrpe
Also, I took out the 130.184. address from nrpe.cfg and restarted, and now I only see the SSL error, not the other one:

Code: Select all

[sgardne@redrad01 ~]$ sudo systemctl status nrpe
● nrpe.service - Nagios Remote Program Executor
   Loaded: loaded (/usr/lib/systemd/system/nrpe.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-11-29 11:09:49 CST; 3min 34s ago
     Docs: http://www.nagios.org/documentation
  Process: 37090 ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d $NRPE_SSL_OPT (code=exited, status=0/SUCCESS)
 Main PID: 37091 (nrpe)
   CGroup: /system.slice/nrpe.service
           └─37091 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

Nov 29 11:09:49 redrad01.uark.edu systemd[1]: Starting Nagios Remote Program Executor...
Nov 29 11:09:49 redrad01.uark.edu nrpe[37091]: Starting up daemon
Nov 29 11:09:49 redrad01.uark.edu systemd[1]: Started Nagios Remote Program Executor.
Nov 29 11:09:49 redrad01.uark.edu nrpe[37091]: Server listening on 0.0.0.0 port 5666.
Nov 29 11:09:49 redrad01.uark.edu nrpe[37091]: Server listening on :: port 5666.
Nov 29 11:09:49 redrad01.uark.edu nrpe[37091]: Warning: Daemon is configured to accept command arguments from clients!
Nov 29 11:09:49 redrad01.uark.edu nrpe[37091]: Listening for connections on port 5666
Nov 29 11:09:49 redrad01.uark.edu nrpe[37091]: Allowing connections from: 127.0.0.1,10.7.2.37
Nov 29 11:10:00 redrad01.uark.edu nrpe[37153]: Error: Could not complete SSL handshake with 10.7.2.37: 1

Re: Changed host IP now get SSL handshake failed from NRPE

Posted: Wed Nov 29, 2017 12:16 pm
by ScottG
Also keep in mind that this worked before I made a change. The only change that was made was to the IP address.

Re: Changed host IP now get SSL handshake failed from NRPE

Posted: Wed Nov 29, 2017 12:50 pm
by npolovenko
@ScottG, Are you able to connect with no ssl option. On the Nagios server navigate to /user/local/nagios/libexec and run:

Code: Select all

./check_nrpe -H nrpe_hostname -n
If you are able to connect that way, please run the command with specifying IPV4:

Code: Select all

./check_nrpe -H nrpe_hostname -4

Re: Changed host IP now get SSL handshake failed from NRPE

Posted: Wed Nov 29, 2017 1:40 pm
by ScottG
I'm very sorry, but this ended up being a firewall issue. Our next-gen firewall was doing some inconsistent things that weren't getting logged, so I missed it. I really appreciate your time on this.

FYI for anyone running PAN-OS firewalls, entering "nagios" as the application and "application-defaults" for the service will cause this type of intermittent behavior. Instead create a new service for tcp-5666 and make the application "any".

-Scott

Re: Changed host IP now get SSL handshake failed from NRPE

Posted: Wed Nov 29, 2017 2:36 pm
by npolovenko
@ScottG, That's alright. Thanks for sharing the solution with us. I will go ahead and close this thread as resolved.
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited