VMware Cloud Community
Salter_M
Contributor
Contributor
‎07-03-2017 06:35 AM
Jump to solution

Log Insight 4.0 agent for Windows does not stay connected on port 9543

I have been trying to upgrade agents to v4.0 which by default uses cfapi over SSL on port 9543. If I install the agent this way on DMZ agents they do not stay connected to Log Insight. If I start the service and monitor connections using netstat I can see that 9543 connection is established for a fleeting moment and then the connection disappears. If I change the liagent config to SSL=no then the agent works fine and stays connected on port 9000. For LAN based agents it all works fine. I've asked our Firewall team to advise and they can't see any problems with the rules or passing traffic. Any suggestions what to look for would be welcome.

Mark

0 Kudos
1 Solution

Accepted Solutions
Salter_M
Contributor
Contributor
‎07-04-2017 05:11 AM
Jump to solution

Just needed to get our workgroup servers to trust our internal cert authority. We're working through automation of this now.

View solution in original post

0 Kudos
3 Replies
Salter_M
Contributor
Contributor
‎07-03-2017 07:08 AM
Jump to solution

I should also point out that DMZ servers are non-domain computers, and LAN servers are domain joined. I've just looked in an liagent log file and found a bunch of these:

​2017-07-03 11:40:12.301968 0x000008a4 <warng> SSLVerifyContex:153| Certificate pre-verify error = 19. self signed certificate in certificate chain.

2017-07-03 11:40:12.301968 0x000008a4 <error> CurlConnection:844 | CurlConnection::Connect transport error: Peer certificate cannot be authenticated with given CA certificates

2017-07-03 11:40:12.301968 0x000008a4 <trace> CFApiTransport:106 | DoConnectJob [Postpone connection by 1 sec]

so it seems it is probably a cert based issue. Will do some further reading.

Regards

Mark

0 Kudos
admin
Immortal
Immortal
‎07-03-2017 09:08 AM
Jump to solution

Sounds like you're on the right track with the certificate problem. Maybe your domain is pushing out certificate trust roots leveraged by half the plant?

You can use openssl's s_client to establish connectivity directly and see the certificate. It'll be the same cert regardless of where you're running the client, so you could run this on a Log Insight cluster member targeting localhost:9543. That won't tell you anything about the certificate chain the Log Insight Agent was trying to validate it against, though.

openssl s_client -showcerts -connect loginsight.example.com:9543 < /dev/null | openssl x509 -text -noout

You can also increasing the logging output from the Log Insight Agent by adding [logging].debug_level=2 to your liagent.ini file.

Salter_M
Contributor
Contributor
‎07-04-2017 05:11 AM
Jump to solution

Just needed to get our workgroup servers to trust our internal cert authority. We're working through automation of this now.

0 Kudos