NRPE - v3/v4 Compatibility With Previous Versions

Overview

This KB article discusses NRPE v3/v4 and it's compatibility with previous versions of NRPE and clients that use NRPE such as NSClient++.

NRPE v3 has two major improvements over previous versions:

• Increased packet size up to 64K (referred to as v3 packet)

  • Previous versions were limited to 1K (referred to as v2 packet)

• Increased SSL security

  • A 2048-bit DH key is used instead of a 512-bit key

  • Certificates can be used for security

NRPE v4 includes the following improvements:

• Added TLSv1.3 and TLSv1.3+ support for systems that have it
• Added IPv6 ip address to list of default allow_from hosts
• Added -D option to disable logging to syslog
• Added -3 option to force check_nrpe to use NRPE v3 packets

Issues that may arise from these enhancements will be covered in this KB article.

Nomenclature

The following explains the terms used in this document.

• Client / Agent

  • This is what is listening for NRPE requests

  • "NRPE Client" refers to the Unix/Linux based client, provided by Nagios Enterprises

  • NSClient++ is the Windows client that has an NRPE listening module, developed externally by a third party

• Plugin

  • This is what sends the request off to the client / agent

  • check_nrpe is the name of the binary

  • This is what is installed on the Nagios server, but is also installed on the NRPE client by default (not NSClient++)

Increased Packet Size

Previous versions of NRPE were limited to 1K in the response sent back to the plugin. In NRPE v3/v4 this has been increased up to 64K. This affects some combinations of the plugin and client as per the following.

Plugin v3/v4 > NRPE v2 Client 

In this scenario you have upgraded the plugin on the Nagios server but the client has not been upgraded (centos12 in this example).

You execute this command on the nagios server:

/usr/local/nagios/libexec/check_nrpe -H centos12

This is the result from running the command:

NRPE v2.15

On the NRPE v2 Client you will see the following logged per connection attempt:

Jun 24 16:35:14 centos12 xinetd[1533]: START: nrpe pid=1682 from=::ffff:10.25.13.2
Jun 24 16:35:14 centos12 nrpe[1682]: Error: Request packet type/version was invalid!
Jun 24 16:35:14 centos12 nrpe[1682]: Client request was invalid, bailing out...
Jun 24 16:35:14 centos12 xinetd[1533]: EXIT: nrpe status=0 pid=1682 duration=0(sec)
Jun 24 16:35:16 centos12 xinetd[1533]: START: nrpe pid=1683 from=::ffff:10.25.13.2
Jun 24 16:35:16 centos12 xinetd[1533]: EXIT: nrpe status=0 pid=1683 duration=0(sec)

On the Nagios server with the Plugin v3/v4 will see the following logged per connection attempt:

Jun 24 16:42:04 fbsd01 check_nrpe: Remote 10.25.13.30 does not support Version 3 Packets
Jun 24 16:42:06 fbsd01 check_nrpe: Remote 10.25.13.30 accepted a Version 2 Packet

When the NRPE v3/v4 client first establishes a connection, it tries with the v3/v4 packet. This results in the older client rejecting the request. Upon receiving the rejected request the plugin will then attempt to connect with the v2 packet. This request will succeed however errors are produced in the log on the client and the Nagios server.

The options you have to stop the errors are:

• Upgrade the client to v3/v4

  • This will stop the errors

• Force the plugin to send v2 packets

  • Using the -2 argument will force the plugin to connect with v2 packets

  • /usr/local/nagios/libexec/check_nrpe -2 -H centos12

Plugin v3/v4 > NSClient++

In this scenario you have upgraded the plugin on the Nagios server and your agents are using NSClient++.

You execute this command on the nagios server:

/usr/local/nagios/libexec/check_nrpe -H 10.25.14.2

This is the result from running the command:

CHECK_NRPE: Socket timeout

In the NSClient++ log you will see the following logged per connection attempt:

2016-06-24 16:52:16: error:c:\source\master\include\socket/connection.hpp:143: Failed to read data: short read

This problem usually arises when NSClient++ has the payload length setting defined at a value other than 1024 (default).

When NSClient++ has the payload length setting defined, the check_nrpe plugin requires the arguments -2 -P xxxx where xxxx is the value defined for payload length.

/usr/local/nagios/libexec/check_nrpe -2 -P 65536 -H 10.25.14.2 

For more information on using NSClient++ with the payload length setting please read this KB article:

Documentation - Packet Size Explained

Final Thoughts

For any support related questions please visit the Nagios Support Forums at:

http://support.nagios.com/forum/