Troubeshooting NSClient++ Connection Issues
Related to Copied
CHECK_NRPE: Error, CHECK_NRPE STATE, CHECK_NRPE: Can not connect
Problem Copied
OP5 Monitor is unable to connect to an NSClient++ agent running on a Windows OS Copied
Possible Cause(s) Copied
NSCP Service is not running on Windows server being monitored Copied
This may be indicated by the following error on the OP5 monitor:
## /opt/plugins/check_nrpe -H 192.168.10.157 -2 -p 5666
CHECK_NRPE STATE CRITICAL: Socket timeout after 10 seconds.
Windows firewall is not open on port 5666 Copied
This may also be indicated by the following error on the OP5 monitor:
## /opt/plugins/check_nrpe -H 192.168.10.157 -2 -p 5666
CHECK_NRPE STATE CRITICAL: Socket timeout after 10 seconds.
Incorrect Allowed Host configuration directive Copied
This may be indicated by the following error on the OP5 monitor:
## /opt/plugins/check_nrpe -H 192.168.10.157 -2 -p 5666
CHECK_NRPE: Error - Could not connect to 192.168.10.157. Check system logs on 192.168.10.157
Incorrect SSL configuration Copied
This may be indicated by the following error on the OP5 monitor:
## /opt/plugins/check_nrpe -H 192.168.10.157 -2 -p 5666
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.10.157: 1
Possible Solution(s) Copied
NSCP Service is not running on Windows server being monitored Copied
In a PowerShell terminal on the Windows server, check nscp service status
PS C:\> Get-Service nscp
Status Name DisplayName
------ ---- -----------
Stopped nscp NSClient++ Monitoring Agent
If nscp is stopped, restart it.
PS C:\> Restart-Service nscp
PS C:\> Get-Service nscp
Status Name DisplayName
------ ---- -----------
Running nscp NSClient++ Monitoring Agent
Windows firewall is not open on port 5666 Copied
The NSClient installation process should have put a firewall rule in place to allow connections on port 5666.
In a PowerShell terminal, ensure that NSClient++ connections are enabled.
PS C:\> Enable-NetFirewallRule -DisplayName "NSClient++ Monitoring Agent"
Incorrect Allowed Host configuration directive Copied
If the NSCP service is running, then the likely cause of the Could not connect to error is the Allowed Host configuration directive. This can be verified by checking the nsclient.log file for the ‘Rejected connection from x.x.x.x’ error. (where x.x.x.x is the address on the monitoring host)
Open nsclient.log in a text editor, or to check the log in real time (similar to tail -f on Linux) use the PowerShell command:
PS C:\Program Files\NSClient++> Get-Content nsclient.log -Wait
Example error message:
2023-05-10 16:58:05: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 172.16.1.149
Allowed host setting
Settings could be in either of:
- a local ini file,
- the Windows Registry
- a remote HTTP server.
In PowerShell window, check Allowed Hosts setting
PS C:\Program Files\NSClient++> ./nscp.exe settings --list --path /settings/default
/settings/default.allowed_hosts=127.0.0.1
If the OP5 monitor address is not in allowed hosts, add it via a PowerShell terminal
PS C:\Program Files\NSClient++> ./nscp.exe settings --path /settings/default --key "allowed hosts" --set "127.0.0.1,172.16.1.0/24"
If either of the below errors are encountered, in means that configuration is on a centralised HTTP server.
E settings Cannot save settings over HTTP
c:\source\master\include\settings/impl/settings_http.hpp:348
Cannot save settings over HTTP
Or
E settings Failed to find cached settings
Check where settings are stored
PS C:\Program Files\NSClient++> nscp.exe settings
Example output:
Current settings instance loaded:
INI settings: (ini://C:/Program Files//NSClient++/op5.ini, C:/Program Files//NSClient++/op5.ini)
Or:
Current settings instance loaded:
HTTP settings: (http://172.16.1.129/nsclient/op5.ini, 172.16.1.129/nsclient/op5.ini)
INI settings: (ini://C:\Program Files\NSClient++/cache\op5.ini, C:\Program Files\NSClient++/cache\op5.ini)
Alternatively, check the boot.ini files for a directive indicating where configuration settings are stored.
boot.ini below shows that the registry is where default settings are stored.
[settings]
1 = registry://HKEY_LOCAL_MACHINE/software/NSClient++
;1=http://172.16.1.129/nsclient/op5.ini
;2=ini://C:/Program Files//NSClient++/op5.ini
If settings are stored on an HTTP server, then the ini file on that server will need to be edited. (172.16.1.129/nsclient/op5.ini in the example above).
Incorrect SSL configuration Copied
On the Linux side, a ‘Could not complete SSL handshake’ error will normally mean that there is an issue with the certificate on the Windows server.
Check the nsclient.log for a ‘Rejected connection’ error message similar to below:
2023-05-10 16:58:05: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 172.16.1.149
In PowerShell window, check your NSClient certificate setting
PS C:\Program Files\NSClient++> ./nscp.exe settings --list --path /settings/NRPE
/settings/NRPE/server.dh=C:\Program Files\NSClient++\security\nrpe_dh_2048.pem
NSClient certificate issues are dealt with in the related article OP5 Monitor - How to solve the problem “CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with
Related Articles Copied
- OP5 Monitor - How to solve the problem “CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with
” - OP5 Monitor - Configure NSClient++ from the Windows command prompt
- OP5 Monitor - How to configure NSClient++ in the Windows Registry