For my issue it was not that the agents were receiving the disconnect notices, the translations from my internal office to these remote agents would be closed by the router so neither side would receive the disconnect notice. In the end Cisco support worked with me and ran some tcpdumps on the agents & debug NAT on the router.
At this point I would try doing wireshark monitoring (windows) or tcpdump (unix) and filter out all but UDP communications between the computers. Is your switch capable of altering a TTL? Have you confirmed that the agent computers are reachable (ping) during the time your syscheck_control fails? I would just run a logging ping test for one ping per one/two seconds indefinitely until you find out your agents have disconnected and review the timeline against that. Perhaps there are random network drops occurring? Granted I'm sure you would see them else where. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Henry Sent: Friday, December 24, 2010 2:45 AM To: ossec-list Subject: [ossec-list] Re: Unstable ossec connections As the server machine and the agent machine are on the same network segment, so these two machines do not route through routers. The ttl for these two machines are 64 and 255 which are fine. How can I know if the agents receive disconnected notices? On Dec 23, 10:55 pm, Nathaniel Bentzinger <nbentzin...@archer- group.com> wrote: > Are you receiving agents disconnected notices? Is this just for remote > agents or internal ones as well? > > I know that my cisco 2811's IPS old firmware was disconnecting my UDP > connections prematurely. Perhaps your router's TTL needs to be increased for > remote agents? > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Henry > Sent: Thursday, December 23, 2010 4:16 AM > To: ossec-list > Subject: [ossec-list] Unstable ossec connections > > I have been setting up with a ossec server and a ossec agent installed. I > can use the syscheck_control -lc command on server side to see the agent. > But usually after several hours without disruptions, the syscheck_control -lc > command cannot see the agents. > The only thing I can do is to restart the ossec agent and then restart > the ossec server, then I can locate the agent using the > syscheck_control -lc command. Any help is appreciated.- Hide quoted > text - > > - Show quoted text -
