nrpe-nt not sending FIN/SYN?

Andrew Ruddock andrew.ruddock at tst-us.com
Fri Jul 14 22:07:53 CEST 2006


Current timer values in the Pix, which seem more than reasonable to me.  
These are the defaults.  In fact, I may even want to shorten some of them.

timeout xlate 3:00:00  (Specifies the idle time until a translation slot 
is freed; the minimum value is one minute.)

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
conn = Specifies the idle time after which a connection closes; the 
minimum duration is five minutes.
half-closed = Specifies the idle time after which a TCP half-closed 
connection will be freed.

I can not disclose IP Addresses, nor can I post the actual dump due to 
security protocols in my place of employment.  However, I have attached 
a .jpg of one of the tcp streams in question.  The stream seems normal 
to me (excluding the frame segmentation) up until frame 15.  I would 
have expected to see either a SYN or FIN to close the session between 
the nagios server and the nrpe client, but you don't.  You just see the 
Reset and Acknowledgement in frame 15.  The RST most likely came from 
the firewall after not getting a SYN in the last packet, I'm guessing.  
We are using an SSL handshake between the server and the client and 
originally thought that maybe it was being hidden by the SSL, but that 
shouldn't be the case.

Thank you,

Andrew


Hugo van der Kooij wrote:
> On Fri, 14 Jul 2006, Andrew Ruddock wrote:
>
>   
>> We are running Nagios 2.2 on a linux server which sits in one dmz behind
>> a Cisco Pix firewall.  The Nagios server is checking the NRPE-NT 0.8b
>> client on many Windows 2000/2003 servers in another dmz.  We have a
>> firewall policy that permit the Nagios server and associated NRPE port
>> to connect to any host in the second dmz.
>>
>> Although Nagios is able to connect and receive responses from the NRPE
>> clients, it appears that the connections are not being closed
>> gracefully.  My firewall the Pix, is being flooded with tons of Denial
>> messages.  I've done packet captures to try and isolate the problem, and
>> it appears that the NRPE client is sending a frame without a FIN or SYN
>> in it.  This is causing my firewall to log a LOT more than it really
>> needs to.
>>     
>
> I think I would like to see a full trace to establish who is not playing
> ball here.
>
> My guess is that a TCP connection is initiated and assumed to be open for
> ages by Nagios (and relatives). But without traffic the PIX will shutdown
> the session after N seconds (where N could be a common number like: 60,
> 300, 900 or 3600).
>
> So in order to pass sentence we need the evidence in full.
>
> But I would put my money on the PIX being the offender.
>
> Hugo.
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20060714/49829585/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cap1.JPG
Type: image/jpeg
Size: 203119 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/users/attachments/20060714/49829585/attachment.jpe>
-------------- next part --------------

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list