Nagios Support Forum

Hi,
we used Nagios XI V. 2024 R 1.3.1 and the newest NSClient++ on a Windows Server 2022 Domain Controller.
Very often we get this errors:

Jan 22 07:13:07 Servername check_nrpe[3637618]: Error: (nerrs = 0)(!log_opts) Could not complete SSL handshake with 10.10.10.10: rc=-1 SSL-error=5
Jan 22 07:13:07 Servername nagios[2593778]: SERVICE ALERT: DC1;Windows Updates Produktiv-Server;CRITICAL;HARD;6;CHECK_NRPE: Error - Could not connect to 10.10.10.10:
Connection reset by peer

Jan 21 19:59:56 Servername nagios[2701650]: SERVICE ALERT: DC1;Check CommVault Communications Service -Instance001- Service;CRITICAL;SOFT;4;connect to address 10.10.10.10 and port 12489: Verbindungsaufbau abgelehnt

Jan 22 08:48:45 Servername check_nrpe[3913813]: Error: (nerrs = 0)(!log_opts) Could not complete SSL handshake with 10.10.10.10: rc=-1 SSL-error=5
Jan 22 08:48:45 Servername nagios[2593778]: SERVICE ALERT: DC1;Windows Updates Produktiv-Server;CRITICAL;HARD;6;CHECK_NRPE: Error - Could not connect to 10.10.10.10:
Connection reset by peer

After a while it goes on again.......

Thanks and Regards
Dennis

Hi @HaschkeD,

So, to clarify, on one host out of many using NSClient++, it sometimes won't connect, but sometimes does?

Aaron

Correct. We have many hosts with NSClient++ (Windows Server). Only on 2 hosts is this problem.
Yesterday i have installed the newest NSClient++ and gave more CPU and RAM to this VM.
But problem still occur.

nsclient.log shows only this:
2025-01-22 16:31:36: error:D:\a\nscp\nscp\include\socket/connection.hpp:139: Socket was unexpectedly closed trying to send data (possibly check your timeout settings)
2025-01-22 16:31:37: error:D:\a\nscp\nscp\include\socket/server.hpp:181: Failed to set chiper-suite

If the problem occur and i i do a ping -t no lost connections.
I set the timeout in the nsclient.ibi to 300, but no changes.

Regards
Dennis

Hi @HaschkeD,

Are the NSClient configurations for the working and for the broken hosts identical? Namely, are the nsclient.ini files the same? Are there any differences in the ports being used?

It may also be worth looking at this thread.

Thank you!

This is a SSL configuration on Server 2022. They removed/disabled ciphers.

Switch to NCPA.

Or

https://www.nartac.com/products/iiscrypto

@HaschkeD,

To use check_nrpe with NSClient++, you need to update your dh key to be 2048-bit. The default 512-bit key does not work with modern versions of OpenSSL as it is considered a security vulnerability to use such a small key. You can update your key with the instructions found here: https://support.nagios.com/kb/article/o ... t-901.html.

I'm not sure if there is also a cipher issue as riahc3 mentioned, but to use NSClient++ these days, you need to update the DH key.

@gwesterman
Yes, we used on all hosts the same nsclient.ini.
DH key with 2048 bit size is used.

This are my settings of nsclient.ini:

# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; TODO
[/settings/default]
#password = nagios
allowed hosts = 127.0.0.1,10.xx.xx.xx

; TODO
[/settings/NRPE/server]
verify mode = none
insecure = true
ssl options =
allow arguments = true
allow nasty characters = true
use ssl = 1
port = 5666
extended response = 0

;DH KEY -
dh = ${certificate-path}/nrpe_dh_2048.pem

; TODO
[/modules]
CheckExternalScripts = 1
CheckHelpers = 1
CheckNSCP = 1
CheckDisk = 1
CheckSystem = 1
NSClientServer = 1
CheckEventLog = 1
NSCAClient = 0
WEBSErver = 0
NRPEServer = 1

[/settings/NSClient/server]
use ssl = 0
performance data = 1
port = 12489

[/settings/external scripts/wrappings]
ps1 = cmd /c echo scripts\\%SCRIPT% %ARGS%; exit($lastexitcode) | powershell.exe -command -
bat = scripts\\%SCRIPT% %ARGS%
An alias is an internal command that has been predefined to provide a single command without arguments. Be careful so you don't create loops (ie check_loop = check_a, check_a=check_loop)
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%

[/settings/external scripts/scripts]
check_ad=cscript.exe //T:30 //NoLogo scripts\check_ad.vbs
check_ms_win_updates=cmd /c echo scripts/check_windows_updates.ps1; exit $LastExitCode | powershell.exe -command -
check_sophos=cscript.exe //NoLogo scripts\check_sophos.vbs /W:$ARG1$ /c:$ARG2$
check_database_mount_shop=cmd /c echo scripts/Check_database_mount_Shop.ps1 | PowerShell.exe -Command -
check_vmfs_datastore_vmcbdf01=cmd /c echo scripts\check_vmfs_datastore_vmcbdf01.ps1 | PowerShell.exe -Command -
check_vmfs_datastore_vcenter1=cmd /c echo scripts\check_vmfs_datastore_vcenter1.ps1 | PowerShell.exe -Command -
check_filesize=cscript.exe //nologo //T:60 scripts\check_filesize.vbs -p "$ARG1$" -f "$ARG2$" -w "$ARG3$" -c "$ARG4$"

[/settings/external scripts]
allow arguments = true
allow nasty characters = true
timeout = 120

[/settings/log]
; LOG LEVEL - Log level to use. Available levels are error,warning,info,debug,trace
level = trace
; FILENAME - The file to write log data to. Set this to none to disable log to file.
file name = nsclient.log
; DATEMASK - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
date format = %Y-%m-%d %H:%M:%S

[/settings/log/file]
; MAXIMUM FILE SIZE - When file size reaches this it will be truncated to 50% if set to 0 (default) truncation will be disabled
max size = 2048000