https://github.com/osquery/osquery logo
#kolide
Title
# kolide
s

Sal

09/05/2019, 11:20 PM
@zwass How would you like to troubleshoot?
z

zwass

09/05/2019, 11:22 PM
Can you please turn on
--verbose --tls_dump
on the osquery daemon and then provide the logs?
s

Sal

09/05/2019, 11:23 PM
sure, i already have that.
paste it here?
z

zwass

09/05/2019, 11:23 PM
I'm looking at the error you posted in https://osquery.slack.com/archives/C08V7KTJB/p1567720952082100 and I suspect that this host is not able to connect to that host.
You said that host is on a different network... I assume that is why the first host can connect and the new host cannot.
s

Sal

09/05/2019, 11:24 PM
correct, this host is on lets say our corp network..
dev and vpn all connect fine
which is leading me to believe this is a network issue.
but wanted to check here first.
however, the clients are different.
dev are lunix, vpn macOS and corp windows/macOS
just logginf back in
z

zwass

09/05/2019, 11:26 PM
Almost certainly a network issue. Can you hit this endpoint via curl on this host?
s

Sal

09/05/2019, 11:32 PM
opps
i get a status code 200 from the site
cannot add a snippet so sorry about this..
z

zwass

09/05/2019, 11:54 PM
"An existing connection was forcibly closed by the remote host" is not an error that I have seen before, but it still looks like network issues.
s

Sal

09/05/2019, 11:56 PM
Agreed. The tls service shouldn’t need any special network ports open other that 443 from the clients tight?
z

zwass

09/05/2019, 11:57 PM
No it should not
s

Sal

09/05/2019, 11:58 PM
Must be a firewall or proxy issue then. Appreciate the help Zach.
s

seph

09/06/2019, 12:26 AM
The GRPC connection doesn’t always go through proxies, right? So if there’s a any weird MitM firewalls there might be issues?
z

zwass

09/06/2019, 12:27 AM
Is this Launcher or plain osquery?
s

seph

09/06/2019, 12:27 AM
Oh,good point. The comment above implies osquery
s

Sal

09/06/2019, 12:31 AM
plain osquery
z

zwass

09/06/2019, 12:31 AM
In that case we can ignore any concerns about gRPC.
s

Sal

09/06/2019, 12:33 AM
sounds good. I'll let you all know how it works out with the network team.. this is always fun.
🍻 1
@zwass So spoke with the networks team. They note that due to me having :443 at the end the --tls_hostname causes the request to be malformed. And removing this allows the connection.
the proxy is dropping the connection..
x_exception_id=internal_error
and the cs_host=- is missing the hostname.
z

zwass

09/06/2019, 5:32 PM
So it's solved by removing :443?
s

Sal

09/06/2019, 5:55 PM
That is correct.
z

zwass

09/06/2019, 5:58 PM
Nice, thank you for filling us in. Glad it's working!
s

Sal

09/06/2019, 6:28 PM
tbh though, i'm not sure that is a good answer from them as this was in fact working with the :443 as i've 500+ offline assets in TLS..
but that is another story.