Hi, This is a strange issue for sure. Is there anything on the server's ossec.log? Do you see any reply (via tcpdump) from the server to the agent on the server's system?
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Dec 31, 2008 at 9:33 AM, <[email protected]> wrote: > > A couple more tests performed yesterday- > 1. Reinstalled the agent, deleted then added a new agent on the server > (used the same name which may be causing a problem - any thoughts on > this?) > 2. Still see the udp outbound on the agent laptop and the inbound on > the server but no connection > 3. Added yet another test laptop and it works correctly - will test > the VPN connection tonight then bring the laptop back into the network > to see if I can repeat the issue. > > > On Dec 29, 3:28 pm, [email protected] wrote: >> I couldn't find anything on the subject so I'm posting - I apologize >> in advance if this has already been covered. >> >> Background Info >> 1. I have a SLES 10 server running the ossec server and the ossec-wui >> - all systems are running currently >> 2. I have successfully tested with Windows & Linux agents >> 3. I currently have it reporting via smtp to a notification email addr >> - works well >> 4. I have yet to configure the server for MySQL but it's in the plans >> >> Now to the problem: >> 1. I have several laptops that I'm currently testing for the agent - >> they are all Windows XP laptops >> 2. I saw the info about configuring for firewall/DHCP so I configured >> the laptops & the server for 10.0.0.0/8, exported the keys and >> imported them on the agents. Worked perfectly >> 3. Our VPN connections drop us into a 192.168.X.X range, posing a >> different issue - so, I deleted the agent from the server and rebuilt >> the agent using 0.0.0.0/0. I exported the key and the agent connected >> from our 10.X.X.X network just fine. >> 4. Last night, I logged in through vpn from that laptop and the agent >> connected just fine again. I monitored through the server and >> reviewed the logs on the agent - worked great! >> 5. Problem: Today I brought the laptop back into the 10.X.X.X network >> and it won't connect. >> >> Things I've tried: >> 1. I can ping the 10.X.X.X server from the laptop >> 2. I can ssh to the 10.X.X.X server from the laptop >> 3. I checked the logs on the agent, and it shows: WARN: Waiting for >> the server to reply >> 4. I did a packet capture on the agent and see the outbound udp >> attempt to port 1514 >> 5. I did a tcpdump on the server and see the udp port 1514 traffic >> 6. I've re-exported the keys >> 7. I've restarted the service on the server and the agent about 25,000 >> times in different orders >> 8. I've killed some of my test agents elsewhere on the network to see >> if that was causing the issue - no change >> 9. Many other things but didn't want to create a massive dissertation >> here (too late)...thoughts? >
