I have seen this posted, but not sure of the real problem/solution -
so I will try again. (with a lot more detail)
I have several agents. They had been working for over a month. Then
for some reason some of them started giving this fabulous error:
ossec-agentd(4101): WARN: Waiting for server reply
Tried removing the corresponding rids files for agent ID 013, and
restarted both. No luck.
So I tried removing the agent on the server, re-add and then import
the new key on agent. No luck
There are actually a few servers exhibiting this same behavior and
they are all on the same subnet trying to communicate back to the
server. Out of about a dozen, 5-6 work fine and the others don't.
Some other interesting details - the ones that have been working have
NOT been restarted in weeks. The ones that are failing were recently
restarted.
Now, here is the interesting part (see below) it seems to be related
to getting back to the source port, but I checked with the firewall
folks - nothing is blocked. (or so they say) -- but why would they
have been working BEFORE restarting and then failing? The tcpdump
below is from about 5 minutes ago from an agent that was working
flawlessly - I restarted and now it has the errors...
In a way, I see the problem, but am at a loss as to why it is
happening? Other than checking firewalling - any other ideas?
tcpdump:
=========================================================================================
bash-3.00# snoop -d e1000g0 host ossec_SERVER
Using device e1000g0 (promiscuous mode)
ossec_agent -> ossec_SERVER UDP D=1514 S=37376 LEN=81
ossec_agent -> ossec_SERVER UDP D=1514 S=37376 LEN=89
ossec_agent -> ossec_SERVER UDP D=1514 S=37376 LEN=89
ossec_agent -> ossec_SERVER UDP D=1514 S=37376 LEN=89
ossec_agent -> ossec_SERVER UDP D=1514 S=37376 LEN=89
ossec_agent -> ossec_SERVER UDP D=1514 S=37380 LEN=81
ossec_agent -> ossec_SERVER UDP D=1514 S=37380 LEN=89
ossec_agent -> ossec_SERVER UDP D=1514 S=37380 LEN=89
ossec_agent -> ossec_SERVER UDP D=1514 S=37380 LEN=81
ossec_SERVER -> ossec_agent UDP D=37376 S=1514 LEN=81
ossec_agent -> ossec_SERVER ICMP Destination unreachable (UDP
port 37376 unreachable)
ossec_SERVER -> ossec_agent UDP D=37376 S=1514 LEN=81
ossec_agent -> ossec_SERVER ICMP Destination unreachable (UDP
port 37376 unreachable)
ossec_agent -> ossec_SERVER UDP D=1514 S=37380 LEN=89
ossec_SERVER -> ossec_agent UDP D=37376 S=1514 LEN=81
ossec_agent -> ossec_SERVER ICMP Destination unreachable (UDP
port 37376 unreachable)
ossec_SERVER -> ossec_agent UDP D=37376 S=1514 LEN=81
ossec_agent -> ossec_SERVER ICMP Destination unreachable (UDP
port 37376 unreachable)
ossec_SERVER -> ossec_agent UDP D=37376 S=1514 LEN=81
ossec_agent -> ossec_SERVER ICMP Destination unreachable (UDP
port 37376 unreachable)
ossec_SERVER -> ossec_agent UDP D=37380 S=1514 LEN=81
ossec_SERVER -> ossec_agent UDP D=37380 S=1514 LEN=81
ossec_SERVER -> ossec_agent UDP D=37380 S=1514 LEN=81
ossec_agent -> ossec_SERVER UDP D=1514 S=37384 LEN=89
ossec_SERVER -> ossec_agent UDP D=37380 S=1514 LEN=81
ossec_agent -> ossec_SERVER ICMP Destination unreachable (UDP
port 37380 unreachable)
ossec_SERVER -> ossec_agent UDP D=37380 S=1514 LEN=81
ossec_agent -> ossec_SERVER ICMP Destination unreachable (UDP
port 37380 unreachable)
ossec_agent -> ossec_SERVER UDP D=1514 S=37384 LEN=89
ossec_agent -> ossec_SERVER UDP D=1514 S=37384 LEN=89
ossec_agent -> ossec_SERVER UDP D=1514 S=37384 LEN=89
ossec_agent -> ossec_SERVER UDP D=1514 S=37384 LEN=89
ossec_SERVER -> ossec_agent UDP D=37384 S=1514 LEN=81
ossec_SERVER -> ossec_agent UDP D=37384 S=1514 LEN=81
ossec_SERVER -> ossec_agent UDP D=37384 S=1514 LEN=81
