<@U0JFM04MS> How would you like to troubleshoot?
# kolides
Sal
09/05/2019, 11:20 PM@zwass How would you like to troubleshoot?
z
zwass
09/05/2019, 11:22 PM
Can you please turn on
--verbose --tls_dumps
Sal
09/05/2019, 11:23 PMsure, i already have that.
Sal
09/05/2019, 11:23 PMpaste it here?
z
zwass
09/05/2019, 11:23 PM
I'm looking at the error you posted in https://osquery.slack.com/archives/C08V7KTJB/p1567720952082100 and I suspect that this host is not able to connect to that host.
zwass
09/05/2019, 11:23 PM
You said that host is on a different network... I assume that is why the first host can connect and the new host cannot.
s
Sal
09/05/2019, 11:24 PMcorrect, this host is on lets say our corp network..
Sal
09/05/2019, 11:25 PMdev and vpn all connect fine
Sal
09/05/2019, 11:25 PMwhich is leading me to believe this is a network issue.
Sal
09/05/2019, 11:25 PMbut wanted to check here first.
Sal
09/05/2019, 11:26 PMhowever, the clients are different.
Sal
09/05/2019, 11:26 PMdev are lunix, vpn macOS and corp windows/macOS
Sal
09/05/2019, 11:26 PMjust logginf back in
z
zwass
09/05/2019, 11:26 PM
Almost certainly a network issue. Can you hit this endpoint via curl on this host?
s
Sal
09/05/2019, 11:32 PMopps
Sal
09/05/2019, 11:33 PMi get a status code 200 from the site
Sal
09/05/2019, 11:49 PMcannot add a snippet so sorry about this..
Sal
09/05/2019, 11:50 PMz
zwass
09/05/2019, 11:54 PM
"An existing connection was forcibly closed by the remote host" is not an error that I have seen before, but it still looks like network issues.
s
Sal
09/05/2019, 11:56 PMAgreed. The tls service shouldn’t need any special network ports open other that 443 from the clients tight?
z
zwass
09/05/2019, 11:57 PM
No it should not
s
Sal
09/05/2019, 11:58 PMMust be a firewall or proxy issue then. Appreciate the help Zach.
s
seph
09/06/2019, 12:26 AM
The GRPC connection doesn’t always go through proxies, right? So if there’s a any weird MitM firewalls there might be issues?
z
zwass
09/06/2019, 12:27 AM
Is this Launcher or plain osquery?
s
seph
09/06/2019, 12:27 AM
Oh,good point. The comment above implies osquery
s
Sal
09/06/2019, 12:31 AMplain osquery
z
zwass
09/06/2019, 12:31 AM
In that case we can ignore any concerns about gRPC.
s
Sal
09/06/2019, 12:33 AMsounds good. I'll let you all know how it works out with the network team.. this is always fun.
🍻 1
Sal
09/06/2019, 4:14 PM@zwass So spoke with the networks team. They note that due to me having :443 at the end the --tls_hostname causes the request to be malformed. And removing this allows the connection.
Sal
09/06/2019, 4:57 PMthe proxy is dropping the connection..
Sal
09/06/2019, 4:57 PMx_exception_id=internal_error
Sal
09/06/2019, 5:05 PMand the cs_host=- is missing the hostname.
z
zwass
09/06/2019, 5:32 PM
So it's solved by removing :443?
s
Sal
09/06/2019, 5:55 PMThat is correct.
z
zwass
09/06/2019, 5:58 PM
Nice, thank you for filling us in. Glad it's working!
s
Sal
09/06/2019, 6:28 PMtbh though, i'm not sure that is a good answer from them as this was in fact working with the :443 as i've 500+ offline assets in TLS..
Sal
09/06/2019, 6:28 PMbut that is another story.
2 Views