Page 1 of 2
check_http CRITICAL - Socket timeout
Posted: Thu Sep 16, 2021 8:46 am
by btayl
We moved to a new server and the IP and the DNS stayued the samenow we get the following
Running the following command I get
[
[email protected] ~]$ /usr/local/nagios/libexec/check_http -H mrt.med.umich.edu -f ok -I 172.20.175.86 -u '/MRTWeb/login.do' -S --sni -p 443
CRITICAL - Socket timeout
I can get to the web page in a browser
https://mrt.med.umich.edu/MRTWeb/login.do
Re: check_http CRITICAL - Socket timeout
Posted: Thu Sep 16, 2021 12:23 pm
by pbroste
Hello @btayl
Thanks for reaching out, typically see socket timeout when there is a interruption. It is connecting but the established connection is interrupted due to invalid security check or other reason.
Do you have Selinux or any other security application enabled?
Let's go ahead and run the check_http command with verbose output so we can see what is going on:
Code: Select all
/usr/local/nagios/libexec/check_http --verbose -H mrt.med.umich.edu -f ok -I 172.20.175.86 -u '/MRTWeb/login.do' -S --sni -p 443
Good idea to append a redirect as this will scroll through by:
/usr/local/nagios/libexec/check_http --verbose -H mrt.med.umich.edu -f ok -I 172.20.175.86 -u '/MRTWeb/login.do' -S --sni -p 443 > /tmp/results.txt
Please also verify that this one passes:
Code: Select all
/usr/local/nagios/libexec/check_http -w 5 -c 10 --ssl -H www.verisign.com
Please let me know the results,
Perry
Re: check_http CRITICAL - Socket timeout
Posted: Thu Sep 16, 2021 12:58 pm
by btayl
This is running on an AIX machine through a load balancer
Re: check_http CRITICAL - Socket timeout
Posted: Thu Sep 16, 2021 1:31 pm
by btayl
I was wrong they are behind a netscaler overbalancer but they are on rhel 8.4 wit selinux disabled
Re: check_http CRITICAL - Socket timeout
Posted: Thu Sep 16, 2021 4:20 pm
by pbroste
Hello @btayl
What do you get on these on the RHEL 8.4?
CODE: SELECT ALL
/usr/local/nagios/libexec/check_http --verbose -H mrt.med.umich.edu -f ok -I 172.20.175.86 -u '/MRTWeb/login.do' -S --sni -p 443
Good idea to append a redirect as this will scroll through by: /usr/local/nagios/libexec/check_http --verbose -H mrt.med.umich.edu -f ok -I 172.20.175.86 -u '/MRTWeb/login.do' -S --sni -p 443 > /tmp/results.txt
Please also verify that this one passes:
CODE: SELECT ALL
/usr/local/nagios/libexec/check_http -w 5 -c 10 --ssl -H
http://www.verisign.com
Thanks,
Perry
Re: check_http CRITICAL - Socket timeout
Posted: Thu Sep 16, 2021 9:33 pm
by btayl
cat /tmp/results.txt
CRITICAL - Socket timeout
option f:0
also If I do a
./check_http -w 5 -c 10 --ssl -H
www.verisign.com
HTTP OK: HTTP/1.1 200 OK - 149074 bytes in 0.283 second response time |time=0.282550s;5.000000;10.000000;0.000000 size=149074B;;;0
Re: check_http CRITICAL - Socket timeout
Posted: Fri Sep 17, 2021 10:42 am
by pbroste
Hello @btayl
Looks like we are not able to get results back from
'mrt.med.umich.edu'. Are we able to return a connection status ok with SSL stats:
Code: Select all
openssl s_client -connect mrt.med.umich.edu:443
And
Code: Select all
openssl s_client -connect mrt.med.umich.edu:443 -showcerts
Just checking on this:
Code: Select all
openssl s_client -connect mrt.med.umich.edu:80
Please let me know what you get for results,
Perry
Re: check_http CRITICAL - Socket timeout
Posted: Fri Sep 17, 2021 12:42 pm
by btayl
openssl s_client -connect mrt.med.umich.edu:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1631900387
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
openssl s_client -connect mrt.med.umich.edu:443 -showcerts
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1631900459
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
openssl s_client -connect mrt.med.umich.edu:80
socket: Bad file descriptor
connect:errno=9
Re: check_http CRITICAL - Socket timeout
Posted: Fri Sep 17, 2021 4:08 pm
by pbroste
Hello @btayl
Thanks for following up with the results, looks like there is no cert used which is failing the check.
Let's see what the
alternate HTTP check does; which is attached. Download, move to your plugins and
chmod +x check_http_alt on it.
The test command looks like this:
Code: Select all
check_http_alt -I <ipaddressofyournagios> -u localhost/nagiosxi -p 443
We are looking for results that look like this:
If it does not establish a connection we will see this:
Let me know the results,
Perry
Re: check_http CRITICAL - Socket timeout
Posted: Sat Sep 18, 2021 5:28 am
by btayl
./check_http_alt -I 172.20.66.100 -u localhost/nagiosxi -p 443
Unknown status code URL
http://localhost/nagiosxi on 172.20.66.100. 0.001s, 0 bytes.
http://h.xy.no/bCWjCO