A couple more tests performed yesterday- 1. Reinstalled the agent, deleted then added a new agent on the server (used the same name which may be causing a problem - any thoughts on this?) 2. Still see the udp outbound on the agent laptop and the inbound on the server but no connection 3. Added yet another test laptop and it works correctly - will test the VPN connection tonight then bring the laptop back into the network to see if I can repeat the issue.
On Dec 29, 3:28 pm, [email protected] wrote: > I couldn't find anything on the subject so I'm posting - I apologize > in advance if this has already been covered. > > Background Info > 1. I have a SLES 10 server running the ossec server and the ossec-wui > - all systems are running currently > 2. I have successfully tested with Windows & Linux agents > 3. I currently have it reporting via smtp to a notification email addr > - works well > 4. I have yet to configure the server for MySQL but it's in the plans > > Now to the problem: > 1. I have several laptops that I'm currently testing for the agent - > they are all Windows XP laptops > 2. I saw the info about configuring for firewall/DHCP so I configured > the laptops & the server for 10.0.0.0/8, exported the keys and > imported them on the agents. Worked perfectly > 3. Our VPN connections drop us into a 192.168.X.X range, posing a > different issue - so, I deleted the agent from the server and rebuilt > the agent using 0.0.0.0/0. I exported the key and the agent connected > from our 10.X.X.X network just fine. > 4. Last night, I logged in through vpn from that laptop and the agent > connected just fine again. I monitored through the server and > reviewed the logs on the agent - worked great! > 5. Problem: Today I brought the laptop back into the 10.X.X.X network > and it won't connect. > > Things I've tried: > 1. I can ping the 10.X.X.X server from the laptop > 2. I can ssh to the 10.X.X.X server from the laptop > 3. I checked the logs on the agent, and it shows: WARN: Waiting for > the server to reply > 4. I did a packet capture on the agent and see the outbound udp > attempt to port 1514 > 5. I did a tcpdump on the server and see the udp port 1514 traffic > 6. I've re-exported the keys > 7. I've restarted the service on the server and the agent about 25,000 > times in different orders > 8. I've killed some of my test agents elsewhere on the network to see > if that was causing the issue - no change > 9. Many other things but didn't want to create a massive dissertation > here (too late)...thoughts?
