Nagios Support Forum

Could not construct return packet in NRPE handler check client side (nsclient.log) logs...

We are getting connection issues after applying configuration.

When I "Acknowledge a problem" It doesn't show acknowledge.

Did you run an update recently to the 5.5.x version of XI ? If so, the first issue is likely due to the check_nrpe plugin getting updated to v3 along with the update but the nrpe agent not supporting nrpe v3. Details and a fix can be found at https://support.nagios.com/forum/viewto ... 16&t=49228.

The other issues could be related to php.ini settings. Use https://support.nagios.com/kb/article/n ... e-611.html to increase some key values. I like to use the values:

memory_limit = 1024M
max_execution_time = 120
max_input_time = 180
max_input_vars = 100000

After making this change and restarting apache, delete and rewrite the config by going to Configure > Core Config Manager > Tools > Config File Management, and clicking:

Delete Files
Write Configs
Verify Files
Restart Nagios Core

I would suggest making splitting these post into their own individual threads if any further assistance is needed on any of these topics.

I changed these settings, We are on 5.5.2, Client 3.9.328 NRPE not changed. I opened a ticket for the other requests, this thread for NRPE only, Thanks

NRPE Plugin for Nagios
Version: 3.2.1

Copyright (c) 2009-2017 Nagios Enterprises
1999-2008 Ethan Galstad ([email protected])

Last Modified: 2017-09-01

License: GPL v2 with exemptions (-l for more info)

SSL/TLS Available: OpenSSL 0.9.6 or higher required

Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]
[-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]
[-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]
[-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]
[-c <command>] [-E] [-a <arglist...>]

Options:
-H, --host=HOST The address of the host running the NRPE daemon
-2, --v2-packets-only Only use version 2 packets, not version 3
-4, --ipv4 Bind to ipv4 only
-6, --ipv6 Bind to ipv6 only
-n, --no-ssl Do no use SSL
-u, --unknown-timeout Make connection problems return UNKNOWN instead of CRITICAL
-V, --version Print version info and quit
-l, --license Show license
-E, --stderr-to-stdout Redirect stderr to stdout
-d, --use-dh=DHOPT Anonymous Diffie Hellman use:
0 Don't use Anonymous Diffie Hellman
(This will be the default in a future release.)
1 Allow Anonymous Diffie Hellman (default)
2 Force Anonymous Diffie Hellman
-P, --payload-size=SIZE Specify non-default payload size for NSClient++
-S, --ssl-version=VERSION The SSL/TLS version to use. Can be any one of:
SSLv2 SSL v2 only
SSLv2+ SSL v2 or above
SSLv3 SSL v3 only
SSLv3+ SSL v3 or above
TLSv1 TLS v1 only
TLSv1+ TLS v1 or above (DEFAULT)
TLSv1.1 TLS v1.1 only
TLSv1.1+ TLS v1.1 or above
TLSv1.2 TLS v1.2 only
TLSv1.2+ TLS v1.2 or above
-L, --cipher-list=LIST The list of SSL ciphers to use (currently defaults
to "ALL:!MD5:@STRENGTH". THIS WILL change in a future release.)
-C, --client-cert=FILE The client certificate to use for PKI
-K, --key-file=FILE The private key to use with the client certificate
-A, --ca-cert-file=FILE The CA certificate to use for PKI
-s, --ssl-logging=OPTIONS SSL Logging Options
-b, --bind=IPADDR Local address to bind to
-f, --config-file=FILE Configuration file to use
-g, --log-file=FILE Log file to write to
-p, --port=PORT The port on which the daemon is running (default=5666)
-c, --command=COMMAND The name of the command that the remote daemon should run
-a, --args=LIST Optional arguments that should be passed to the command,
separated by a space. If provided, this must be the last
option supplied on the command line.

NEW TIMEOUT SYNTAX
-t, --timeout=INTERVAL:STATE
INTERVAL Number of seconds before connection times out (default=10)
STATE Check state to exit with in the event of a timeout (default=CRITICAL)
Timeout STATE must be a valid state name (case-insensitive) or integer:
(OK, WARNING, CRITICAL, UNKNOWN) or integer (0-3)

Note:
This plugin requires that you have the NRPE daemon running on the remote host.
You must also have configured the daemon to associate a specific plugin command
with the [command] option you are specifying here. Upon receipt of the
[command] argument, the NRPE daemon will run the appropriate plugin command and
send the plugin output and return code back to *this* plugin. This allows you
to execute plugins on remote hosts and 'fake' the results to make Nagios think
the plugin is being run locally.

Modify the check_nrpe commands on teh XI side so that they use "-2" and let us know the results. I don't believe the version of nsclient++ you have supports nrpe v3.

Added String didnt seam to change error.

Output

[root@nagios ~]# /usr/local/nagios/libexec/check_nrpe -2 -P 8192 -H 10.1.0.9
connect to address 10.1.0.9 port 5666: Connection refused
connect to host 10.1.0.9 port 5666: Connection refused
You have mail in /var/spool/mail/root

Does the nsclient config have the "allow_arguements" option? see https://forums.nsclient.org/t/help-a-newbie-please/3452

Also make sure that the XI server's IP appears it's allowed_hosts config.

Feel free to send a copy of the client's config if the above doesn't help resolve the problem.