Perhaps this is the kicker to help figure this out: tcpdump on the ossec-server - watching the system agent attempt to connect. But there are no firewalls in place anyway, just a router. And the weird part is - another box, 10.15.58.62 works - and has been - but I know if I restart it, it will fail - that is the symptom. (both Solaris)
# tcpdump -ni bond0 host 10.15.58.60 13:01:37.848570 IP 10.15.58.60.47102 > 10.15.40.45.ossec-agent: UDP, length 81 13:01:37.848851 IP 10.15.40.100.ossec-agent > 10.15.58.60.47102: UDP, length 73 13:01:37.849118 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47102 unreachable, length 92 13:01:42.848771 arp who-has 10.15.58.60 tell 10.15.40.100 13:01:42.849372 arp reply 10.15.58.60 is-at 00:00:0c:01:00:40 13:01:43.849593 IP 10.15.58.60.47102 > 10.15.40.45.ossec-agent: UDP, length 81 13:01:43.849877 IP 10.15.40.100.ossec-agent > 10.15.58.60.47102: UDP, length 73 13:01:43.850150 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47102 unreachable, length 92 13:01:47.850439 IP 10.15.58.60.47102 > 10.15.40.45.ossec-agent: UDP, length 81 13:01:47.850695 IP 10.15.40.100.ossec-agent > 10.15.58.60.47102: UDP, length 73 13:01:47.850955 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47102 unreachable, length 92 13:01:52.851341 IP 10.15.58.60.47102 > 10.15.40.45.ossec-agent: UDP, length 81 13:01:52.851653 IP 10.15.40.100.ossec-agent > 10.15.58.60.47102: UDP, length 73 13:01:52.851894 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47102 unreachable, length 92 13:01:58.852222 IP 10.15.58.60.47102 > 10.15.40.45.ossec-agent: UDP, length 81 13:01:58.852477 IP 10.15.40.100.ossec-agent > 10.15.58.60.47102: UDP, length 73 13:01:58.852644 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47102 unreachable, length 92 13:02:00.853995 IP 10.15.58.60.47103 > 10.15.40.45.ossec-agent: UDP, length 81 13:02:00.854262 IP 10.15.40.100.ossec-agent > 10.15.58.60.47103: UDP, length 73 13:02:00.854487 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47103 unreachable, length 92 13:02:05.855020 arp who-has 10.15.58.60 tell 10.15.40.100 13:02:05.855765 arp reply 10.15.58.60 is-at 00:00:0c:01:00:40 13:02:06.855025 IP 10.15.58.60.47103 > 10.15.40.45.ossec-agent: UDP, length 81 13:02:06.855281 IP 10.15.40.100.ossec-agent > 10.15.58.60.47103: UDP, length 73 13:02:06.855586 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47103 unreachable, length 92 13:02:10.855908 IP 10.15.58.60.47103 > 10.15.40.45.ossec-agent: UDP, length 81 13:02:10.856173 IP 10.15.40.100.ossec-agent > 10.15.58.60.47103: UDP, length 73 13:02:10.856502 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47103 unreachable, length 92 13:02:15.856776 IP 10.15.58.60.47103 > 10.15.40.45.ossec-agent: UDP, length 81 13:02:15.857057 IP 10.15.40.100.ossec-agent > 10.15.58.60.47103: UDP, length 73 13:02:15.857359 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47103 unreachable, length 92 13:02:21.857679 IP 10.15.58.60.47103 > 10.15.40.45.ossec-agent: UDP, length 73 13:02:21.857941 IP 10.15.40.100.ossec-agent > 10.15.58.60.47103: UDP, length 73 13:02:21.858196 IP 10.15.58.60 > 10.15.40.100: ICMP 10.15.58.60 udp port 47103 unreachable, length 92 On May 4, 12:43 pm, Kat <[email protected]> wrote: > PS - I can packet capture on both ends - what would you want to see??? > > On May 4, 11:11 am, Kat <[email protected]> wrote: > > > RHEL 5.3 > > > Only "special" update is PHP 5.3, which would have nothing to do with > > OSSEC, but mentioning it. > > > I would be happy to supply some debug info. > > > It was working flawlessly when first installed, then they just started > > dropping off. Agents are a mixture of AIX 6.1 , RHEL 5.3 and Solaris > > 10 > > The only agents that have never exhibited any problems are the Windoze > > boxes. > > > -k > > > On May 4, 10:59 am, "dan (ddp)" <[email protected]> wrote: > > > > What OS/distro/revision are you using on your manager system? > > > Daniel Cid has offered to help track it down, but he needs access to a > > > system showing this issue. > > > dan
