[ale] CHECK_NRPE: Error receiving data from daemon.

Lightner, Jeff jlightner at water.com
Thu Feb 10 14:03:36 EST 2011 

Two things:

1)     In your commands try to get numeric values.   Saying it is
listening on port "nrpe" suggests it is OK but if /etc/services has nrpe
set to udp 3123 instead of tcp 5666 you're not seeing what you think you
are.   Do "lsof -i :5666" and it will show if anything is listening on
port 5666.   Do "iptables -n -L" and it will show the numerics instead
of port names so you can verify it is port 5666.

2)     You can easily rule out iptables issues by simply stopping
iptables (service iptables stop) and testing to see if the connection
works.  If it does then your issue was iptables.  If it doesn't then it
means something other than iptables is blocking it.   

________________________________

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Tony
Cicirello
Sent: Thursday, February 10, 2011 1:27 PM
To: Ale at ale.org
Subject: [ale] CHECK_NRPE: Error receiving data from daemon.

 

This is probably a case of missing the obvious but i have tried
everything i could think of and also what the nrpe.pdf doc suggests. 

 

I am installing nrpe on centOS box using yum. The package installs
without error. 

Version info: nagios-nrpe x86_64 2.12-1.el5.rf 

 

I've added the check_nrpe command to /etc/nagios/objects/commands.cfg 

# 'check_nrpe' command definition 

define command { 

command_name check_nrpe 

command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ 

} 

 

and the host IP address to nrpe.cfg 

 

nrpe is configured to run as a daemon and shows as running: 

ps auxw | grep nrpe 

root 26257 0.0 0.0 61164 692 pts/3 S+ 13:43 0:00 grep nrpe 

nagios 29589 0.0 0.0 39968 1084 ? Ss 13:18 0:00 nrpe -c
/etc/nagios/nrpe.cfg -d 

 

nrpe is listening on the correct port: 

netstat -at | grep nrpe 

tcp 0 0 mail.panoston.com:nrpe *:* LISTEN 

 

The problem(s) arise when I run check_nrpe on the remote host. 

Running without ssl yields 

/usr/lib64/nagios/plugins/check_nrpe -H Remote IP address -n 

 

Running with ssl yields: 

/usr/lib64/nagios/plugins/check_nrpe -H 192.168.2.231 

CHECK_NRPE: Error - Could not complete SSL handshake. 

 

I've verified that IPtables is set correctly. Here is the output: 

iptables -L 

Chain INPUT (policy ACCEPT) 

target prot opt source destination 

RH-Firewall-1-INPUT all -- anywhere anywhere 

 

Chain FORWARD (policy ACCEPT) 

target prot opt source destination 

RH-Firewall-1-INPUT all -- anywhere anywhere 

ACCEPT all -- 192.168.21.0/24 anywhere 

 

Chain OUTPUT (policy ACCEPT) 

target prot opt source destination 

 

Chain RH-Firewall-1-INPUT (2 references) 

target prot opt source destination 

ACCEPT all -- anywhere anywhere 

ACCEPT icmp -- anywhere anywhere icmp any 

ACCEPT esp -- anywhere anywhere 

ACCEPT ah -- anywhere anywhere 

ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns 

ACCEPT udp -- anywhere anywhere udp dpt:ipp 

ACCEPT tcp -- anywhere anywhere tcp dpt:ipp 

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 

ACCEPT all -- 192.168.2.31 anywhere state NEW 

ACCEPT all -- IP Address anywhere state NEW 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nrpe 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp 

ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 

ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap 

ACCEPT udp -- anywhere anywhere udp spt:6277 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:responsenet 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3121 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:vtr-emulator 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:openvpn 

ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn 

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rsf-1 

REJECT all -- anywhere anywhere reject-with icmp-host-prohibited 

 

Here is the allowd_hosts line from nrpe.cfg 

allowed_hosts= 96.37.142.40 (Monitor) 192.168.2.231 (Remote-for testing)
127.0.0.1 

 

The only thing I haven't tried is compiling from source using
./configure --enable-ssl. I assume yum will make the ssl option
available on installation. 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110210/9cf0178a/attachment-0001.html

More information about the Ale mailing list