Greetings everyone,

I have a distributed setup with the server on a securityonion install. No 
issues with clients in other subnets but when I tried to set up a client on 
a remote server I encountered the following situation:

Client log
2018/04/06 09:29:00 INFO: Connected to [redacted] at address XX.XX.XX.XX, 
port 1514
2018/04/06 09:29:21 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: '[redacted]'.

----------------------------------------
Setup Data
----------------------------------------

Sever ossec-init.conf:
DIRECTORY="/var/ossec"
VERSION="v2.8.2"
DATE="Mon Oct 19 19:53:53 UTC 2015"
TYPE="server"

Client ossec-init.conf:
DIRECTORY="/var/ossec"
VERSION="v2.9.3"
DATE="Thu Apr  5 15:45:55 CEST 2018"
TYPE="agent"

The version mismatch does not seem to be the root cause, I have other 
clients in other subnets behind the same firewall that have the same 
version and don't have any issues connecting with the server (clients are 
both on windows and *nix machines).

---------------------------
Network topology
---------------------------
client ----> NAT_router ---> Firewall_NAT ---> Server


-------------------------
Fix attempt
-------------------------
I triple checked the client keys and did the following:
1. Shut down server and client
2. Delete client on server, Generate new client key
3. Start server
4. Import new key on client.
5. Start client.

No luck. 


----------------------------------
Packet Captures
----------------------------------
I did packet captures on the server side, on the client side, on both sides 
of the firewall and packets seem to flow freely. The port changes on the 
client side happens every 5 packets it seem. the captures were taken at 
different points in time.


Tcpdump on the client (tcpdump -i XXX udp port 1514):
-------------------------------------------------------------------------------
07:40:48.281799 IP [client] > [server].1514: UDP, length 73
07:40:48.282499 IP [server].1514 > [client].39116: UDP, length 73
07:40:53.282313 IP [client].39116 > [server].1514: UDP, length 73
07:40:53.282954 IP [server].1514 > [client].39116: UDP, length 73

Tcpdump on the server (tcpdump -i XXX udp port 1514):
-------------------------------------------------------------------------------
08:29:31.305862 IP client.52958 > server.1514: UDP, length 73
08:29:31.306591 IP server.1514 > client.52958: UDP, length 73


Between the firewall and the NAT router:
-------------------------------------------------------------------------------
08:14:13.837919 de:ad:ba:be:ca:fe > de:ad:be:ef:ca:fe, ethertype IPv4 
(0x0800), length 115: (tos 0x0, ttl 54, id 29801, offset 0, flags [DF], 
proto UDP (17), length 101)
  [client].48932 > [firewall].1514: [udp sum ok] UDP, length 73

08:24:36.288617 de:ad:ba:be:ca:fe > de:ad:be:ef:ca:f, ethertype IPv4 
(0x0800), length 115: (tos 0x0, ttl 63, id 36571, offset 0, flags [DF], 
proto UDP (17), length 101, bad cksum 0 (->ea4)!)
    [firewall].1514 > [client].48932: [udp sum ok] UDP, length 73

Sometimes I have a bad checksum error.

Between the firewall and the server
-------------------------------------------------------------------------------
08:21:42.391671 ba:dd:ee:d0:00:00 > de:ad:be:ad:ad:00, ethertype IPv4 
(0x0800), length 115: (tos 0x0, ttl 52, id 27141, offset 0, flags [DF], 
proto UDP (17), length 101, bad cksum 0 (->3b7a)!)
    [client].39656 > [server].1514: [udp sum ok] UDP, length 73

And same thing on return path.

Logically it seems that the NAT might be the issue, since other (not NATed) 
clients don't have any troubles connecting, but I can't see how it would 
impede communication, as data flows freely both ways...
I'm running out of ideas so any input on my situation would be greatly 
appreciated!

Regards,
Quentin

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to