I couldn't find anything on the subject so I'm posting - I apologize in advance if this has already been covered.
Background Info 1. I have a SLES 10 server running the ossec server and the ossec-wui - all systems are running currently 2. I have successfully tested with Windows & Linux agents 3. I currently have it reporting via smtp to a notification email addr - works well 4. I have yet to configure the server for MySQL but it's in the plans Now to the problem: 1. I have several laptops that I'm currently testing for the agent - they are all Windows XP laptops 2. I saw the info about configuring for firewall/DHCP so I configured the laptops & the server for 10.0.0.0/8, exported the keys and imported them on the agents. Worked perfectly 3. Our VPN connections drop us into a 192.168.X.X range, posing a different issue - so, I deleted the agent from the server and rebuilt the agent using 0.0.0.0/0. I exported the key and the agent connected from our 10.X.X.X network just fine. 4. Last night, I logged in through vpn from that laptop and the agent connected just fine again. I monitored through the server and reviewed the logs on the agent - worked great! 5. Problem: Today I brought the laptop back into the 10.X.X.X network and it won't connect. Things I've tried: 1. I can ping the 10.X.X.X server from the laptop 2. I can ssh to the 10.X.X.X server from the laptop 3. I checked the logs on the agent, and it shows: WARN: Waiting for the server to reply 4. I did a packet capture on the agent and see the outbound udp attempt to port 1514 5. I did a tcpdump on the server and see the udp port 1514 traffic 6. I've re-exported the keys 7. I've restarted the service on the server and the agent about 25,000 times in different orders 8. I've killed some of my test agents elsewhere on the network to see if that was causing the issue - no change 9. Many other things but didn't want to create a massive dissertation here (too late)...thoughts?
