Windows Service Monitoring

[HBRMonitoring]

un/fortunately the Firewall is OFF on the windows servers.

THe output of the command you shared are as below form the Nagios server:

curl -k -L -v https://<end server1 IP>:5693
* About to connect() to <end server1 IP> port 5693 (#0)
* Trying <end server1 IP>... Connection timed out
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host


curl -k -L -v https://<end server2 IP>:5693
* About to connect() to <end server2 IP> port 5693 (#0)
* Trying <end server2 IP>... Connection timed out
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host


I tried with FQDN, still got the same error.

I am able to ping these servers from Nagios server without any issues.

[benjaminsmith]

Hi,

That curl error, curl: (7) couldn't connect to host, is pretty clear that something is blocking the port connection between the XI server and the Windows hosts. If the NCPA service was not running, you would see a timeout message.

You can also try running a map scan on the host from the XI server.

Code: Select all

nmap <ip address>

Running a netstat from the Window hosts will let you know if it's listening on tcp port 5693.

Code: Select all

netstat -a

I would recommend reaching out to your network admin as something is between the remote Windows host and the XI server.

[HBRMonitoring]

Hi Benjamin,

Please find details below:

I executed the command from my end and below is the output.

-bash-4.1$ nmap Windows_IP

Starting Nmap 6.47 ( http://nmap.org ) at 2020-11-23 08:20 GMT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.18 seconds


-bash-4.1$ ping Windows_IP
PING Windows_IP (Windows_IP) 56(84) bytes of data.
64 bytes from Windows_IP: icmp_seq=1 ttl=119 time=24.7 ms
64 bytes from Windows_IP: icmp_seq=2 ttl=119 time=24.3 ms
^C
--- Windows_IP ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1954ms
rtt min/avg/max/mdev = 24.392/24.550/24.708/0.158 ms


-bash-4.1$ nmap -Pn Windows_IP

Starting Nmap 6.47 ( http://nmap.org ) at 2020-11-23 08:20 GMT
Nmap scan report for Windows_IP
Host is up (0.024s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
5666/tcp open nrpe

Nmap done: 1 IP address (1 host up) scanned in 6.69 seconds


I also have the output of the netstat command. But, is it safe to upload here, as it will expose the IP address and other details to public.

[benjaminsmith]

Hi,

If there is sensitive data, you can PM the file or output. You should see something like the following entry in the output of the netstat command that shows it's listening on tcp port 5693.

TCP 0.0.0.0:5693 DESKTOP-OUK3A89:0 LISTENING

If not, try restarting the Nagios listeners (there are 2 services active and passive) in Windows.

[HBRMonitoring]

I have PM'd you the files. Kindly check and let me know

[ssax]

What is the output of this command from the XI server CLI?

Code: Select all

nmap -Pn -p5693 <end server1 IP>

Do you see any errors on that Windows server's ncpa_listener.log file? Please send us that file from the windows server.

You can also edit the ncpa.cfg on the windows server and under the [listener] section change this:

Code: Select all

loglevel =warning

To:

Code: Select all

loglevel =debug

Then restart the windows ncpa_listener service, run the check again, and send us any ncpa_listener.log output from the windows server.

[HBRMonitoring]

Hi,

I have shared the logs. I havent seen any change in status. it still times out. can you pls check ASAP and let me know the status, as to why it is failing?
The services is restarted and logs are sent over PM.

[ssax]

I do not see a PM from you. I asked @benjaminsmith and he doesn't see the info either.

Please send us the output of this command:
- Run from the XI server, change X.X.X.X to the IP of the windows server

Code: Select all

nmap -Pn -p5693 X.X.X.X

Then edit the ncpa.cfg on the windows server and under the [listener] section change this:

Code: Select all

loglevel =warning

To:

Code: Select all

loglevel =debug

Then restart the windows ncpa_listener service, run the check again replicating the failure, and send us the ncpa_listener.log from the windows system.

Thank you!

[HBRMonitoring]

nmap -Pn -p5693 <IP>

Starting Nmap 6.47 ( http://nmap.org ) at 2021-01-05 08:50 GMT
Nmap scan report for <IP>
Host is up.
PORT STATE SERVICE
5693/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds


I am trying to share the listner.log via PM, but its stuck in outbox. How do I make sure it is SENT and not stuck in outbox.

[ssax]

Since windows is showing it listening in netstat we know it's listening on the system.

Filtered means it's being blocked by a firewall or some security device in the path or on the remote host:

Code: Select all

5693/tcp filtered unknown

NMAP will not show filtered for any other reason so it has to be a firewall (in the path or on the remote system) or an IPS device in the path (or HIPS on the remote system) impacting it.

Please work with your security/network team in order to investigate what is blocking it and allow it through.