Have you looked at the ossec.log on your SO server? It might tell you if there is an issue . I've had issues with NAT and the server was not recognizing the IP.
On Friday, April 6, 2018 at 5:42:28 AM UTC-4, quentin mallet wrote: > > Greetings everyone, > > I have a distributed setup with the server on a securityonion install. No > issues with clients in other subnets but when I tried to set up a client on > a remote server I encountered the following situation: > > Client log > 2018/04/06 09:29:00 INFO: Connected to [redacted] at address XX.XX.XX.XX, > port 1514 > 2018/04/06 09:29:21 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '[redacted]'. > > ---------------------------------------- > Setup Data > ---------------------------------------- > > Sever ossec-init.conf: > DIRECTORY="/var/ossec" > VERSION="v2.8.2" > DATE="Mon Oct 19 19:53:53 UTC 2015" > TYPE="server" > > Client ossec-init.conf: > DIRECTORY="/var/ossec" > VERSION="v2.9.3" > DATE="Thu Apr 5 15:45:55 CEST 2018" > TYPE="agent" > > The version mismatch does not seem to be the root cause, I have other > clients in other subnets behind the same firewall that have the same > version and don't have any issues connecting with the server (clients are > both on windows and *nix machines). > > --------------------------- > Network topology > --------------------------- > client ----> NAT_router ---> Firewall_NAT ---> Server > > > ------------------------- > Fix attempt > ------------------------- > I triple checked the client keys and did the following: > 1. Shut down server and client > 2. Delete client on server, Generate new client key > 3. Start server > 4. Import new key on client. > 5. Start client. > > No luck. > > > ---------------------------------- > Packet Captures > ---------------------------------- > I did packet captures on the server side, on the client side, on both > sides of the firewall and packets seem to flow freely. The port changes on > the client side happens every 5 packets it seem. the captures were taken at > different points in time. > > > Tcpdump on the client (tcpdump -i XXX udp port 1514): > > ------------------------------------------------------------------------------- > 07:40:48.281799 IP [client] > [server].1514: UDP, length 73 > 07:40:48.282499 IP [server].1514 > [client].39116: UDP, length 73 > 07:40:53.282313 IP [client].39116 > [server].1514: UDP, length 73 > 07:40:53.282954 IP [server].1514 > [client].39116: UDP, length 73 > > Tcpdump on the server (tcpdump -i XXX udp port 1514): > > ------------------------------------------------------------------------------- > 08:29:31.305862 IP client.52958 > server.1514: UDP, length 73 > 08:29:31.306591 IP server.1514 > client.52958: UDP, length 73 > > > Between the firewall and the NAT router: > > ------------------------------------------------------------------------------- > 08:14:13.837919 de:ad:ba:be:ca:fe > de:ad:be:ef:ca:fe, ethertype IPv4 > (0x0800), length 115: (tos 0x0, ttl 54, id 29801, offset 0, flags [DF], > proto UDP (17), length 101) > [client].48932 > [firewall].1514: [udp sum ok] UDP, length 73 > > 08:24:36.288617 de:ad:ba:be:ca:fe > de:ad:be:ef:ca:f, ethertype IPv4 > (0x0800), length 115: (tos 0x0, ttl 63, id 36571, offset 0, flags [DF], > proto UDP (17), length 101, bad cksum 0 (->ea4)!) > [firewall].1514 > [client].48932: [udp sum ok] UDP, length 73 > > Sometimes I have a bad checksum error. > > Between the firewall and the server > > ------------------------------------------------------------------------------- > 08:21:42.391671 ba:dd:ee:d0:00:00 > de:ad:be:ad:ad:00, ethertype IPv4 > (0x0800), length 115: (tos 0x0, ttl 52, id 27141, offset 0, flags [DF], > proto UDP (17), length 101, bad cksum 0 (->3b7a)!) > [client].39656 > [server].1514: [udp sum ok] UDP, length 73 > > And same thing on return path. > > Logically it seems that the NAT might be the issue, since other (not > NATed) clients don't have any troubles connecting, but I can't see how it > would impede communication, as data flows freely both ways... > I'm running out of ideas so any input on my situation would be greatly > appreciated! > > Regards, > Quentin > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
