Dragon 7.5.0.95 HIDS client cannot connect to EMS server

  • 0
  • 1
  • Problem
  • Updated 4 years ago
  • Solved
I have a 7.5.0.95 Dragon EMS server and sensors. One sensor (HIDS running on Linux) shows the Event Channel down in the reporting dashboard, and the management client shows it unable to communicate. The HIDS sensor keeps logging "[net-cfg-client (25650)]: Could not connect: Connection timed out." What should I look at to fix this issue? I've got other sensors working just fine, this is my odd box.
Photo of dtitzer

dtitzer

  • 190 Points 100 badge 2x thumb
  • amused

Posted 5 years ago

  • 0
  • 1
Photo of Tamera Rousseau-Vesta

Tamera Rousseau-Vesta, Extreme Alumna

  • 2,760 Points 2k badge 2x thumb
Hi David.  Thank you for posting your question to the community.  I will get one of our GTAC folks involved and see if we can resolve your issue.  Have you logged a trouble ticket for this situation?
Photo of dtitzer

dtitzer

  • 190 Points 100 badge 2x thumb
Thanks for the response. I haven't logged a ticket yet. I keep thinking the solution is just around the corner and it's just a config error.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
Hi David,

Thanks for mailing in.

Its sounds like there is some difficulty making a connection between the two systems on both the configuration and event channels. Could you confirm by running this on the Host sensor?

#netstat -antuv | grep 911

We would be looking for Established back to the server for 9111 and 9112 if all was ok.
Photo of dtitzer

dtitzer

  • 190 Points 100 badge 2x thumb
I have established connections on 9111 and 9112. I get heartbeats and system health info. In the EMS client, it shows the sensor needs to be deployed, which fails. But, it's listed as working (green checkmark). I've checked to make sure the shared secret is listed as correct too. It all looks connected, but isn't listed as up.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
Hi

Could we shutdown the software on the HIDS? (dragon-shutdown.sh) then check to make sure the .net-cfg-client.lock is removed from the ~/dragon/bin directory. If not, please remove it manually and then restart. The 9111 channel is responsible the configuration pushes so perhaps there is a disconnect between the software and the operating system.

What version of Linux is the Host? 64 or 32 bit?

Thanks
Photo of dtitzer

dtitzer

  • 190 Points 100 badge 2x thumb
Shutdown removed the lock. No problem there.

The HIDS sensor is RHEL5.9 32 bit.

FWIW, all sensors connect sensor-to-server.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
When the software was restarted, did it establish a connection on 9111? Also if you again for this connection a minute later do you see the local high port changing? This would indicate a constant reconnection taking place.

root@snowman:/opt/dragon/bin# netstat -antuv | grep 9111
tcp 0 0 10.58.24.77:50848 10.58.24.88:9111 ESTABLISHED

In the above example, 50848, is the local high port.

Can you deploy to this sensor at this time?

Thanks
Jeff
Photo of dtitzer

dtitzer

  • 190 Points 100 badge 2x thumb
The HIDS sensor does reconnect to port 9111, but I don't see the local high port changing. The netcfgclient.log file continues to log connection timed out error messages too. No other errors in any other log files.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
Hi,

Since it is not breaking the tcp connection and there are timeout messages it may relate to the network and the bandwidth available to us. Can you run some test with large file transfers via Winscp or another tcp based application?

Thanks
Jeff
Photo of dtitzer

dtitzer

  • 190 Points 100 badge 2x thumb
I was able to upload the Dragon client install pack just fine over scp. It's a remote location and was slow, but it didn't fail.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
Hi,

We still may be having an issue with the "distance" and the protocol involved. If you would like we could run a remote desktop sharing session and look over the installation together.

Thanks
Jeff
Photo of Tamera Rousseau-Vesta

Tamera Rousseau-Vesta, Extreme Alumna

  • 2,760 Points 2k badge 2x thumb
Thanks for continuing to work with our GTAC group to resolve this question David.  If you or Jeff could just post the results of your desktop share when it occurs, the rest of the community would appreciate knowing your resolution.  Thank you!
Photo of dtitzer

dtitzer

  • 190 Points 100 badge 2x thumb
Jeff, Tamera: Desktop share will not happen.

I've uninstalled and reinstalled the client, even tried to switch the encryption.

I'm left with the feeling I'm overlooking something.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
Hi David,

We would be happy to work on this with you until it is resolved. Due to the nature of the issue we may need to place some processes in debug mode and obtain some supporting log data. For this reason please feel free to call into the support department, 1-800-872-8440, and we will happily create a service ticket with you.

Thanks
Jeff
Photo of Tamera Rousseau-Vesta

Tamera Rousseau-Vesta, Extreme Alumna

  • 2,760 Points 2k badge 2x thumb
Hi David,  where you able to get a satisfactory response to this issue?  Please let us know if you are still having an issue.  Thank you!
Photo of dtitzer

dtitzer

  • 190 Points 100 badge 2x thumb
We experienced an unrelated system problem. I ended up re-installing the EMS server from scratch. Unfortunately, the problem did not go away.

I'm waiting to get information related to my customer's support renewal. It's been in the pipeline for quite a while, but spending was temporarily restricted.
Photo of Tamera Rousseau-Vesta

Tamera Rousseau-Vesta, Extreme Alumna

  • 2,760 Points 2k badge 2x thumb
David, were you able to log a trouble ticket with GTAC to solve this issue?

This conversation is no longer open for comments or replies.