Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
Sal
09/05/2019, 11:20 PM@zwass How would you like to troubleshoot?
z
zwass
09/05/2019, 11:22 PMCan you please turn on
--verbose --tls_dumps
Sal
09/05/2019, 11:23 PMsure, i already have that.
paste it here?
z
zwass
09/05/2019, 11:23 PMI'm looking at the error you posted in https://osquery.slack.com/archives/C08V7KTJB/p1567720952082100 and I suspect that this host is not able to connect to that host.
You said that host is on a different network... I assume that is why the first host can connect and the new host cannot.
s
Sal
09/05/2019, 11:24 PMcorrect, this host is on lets say our corp network..
dev and vpn all connect fine
which is leading me to believe this is a network issue.
but wanted to check here first.
however, the clients are different.
dev are lunix, vpn macOS and corp windows/macOS
just logginf back in
z
zwass
09/05/2019, 11:26 PMAlmost certainly a network issue. Can you hit this endpoint via curl on this host?
s
Sal
09/05/2019, 11:32 PMopps
i get a status code 200 from the site
cannot add a snippet so sorry about this..
z
zwass
09/05/2019, 11:54 PM"An existing connection was forcibly closed by the remote host" is not an error that I have seen before, but it still looks like network issues.
s
Sal
09/05/2019, 11:56 PMAgreed. The tls service shouldn’t need any special network ports open other that 443 from the clients tight?
z
zwass
09/05/2019, 11:57 PMNo it should not
s
Sal
09/05/2019, 11:58 PMMust be a firewall or proxy issue then. Appreciate the help Zach.
s
seph
09/06/2019, 12:26 AMThe GRPC connection doesn’t always go through proxies, right? So if there’s a any weird MitM firewalls there might be issues?
z
zwass
09/06/2019, 12:27 AMIs this Launcher or plain osquery?
s
seph
09/06/2019, 12:27 AMOh,good point. The comment above implies osquery
s
Sal
09/06/2019, 12:31 AMplain osquery
z
zwass
09/06/2019, 12:31 AMIn that case we can ignore any concerns about gRPC.
s
Sal
09/06/2019, 12:33 AMsounds good. I'll let you all know how it works out with the network team.. this is always fun.
🍻 1
@zwass So spoke with the networks team. They note that due to me having :443 at the end the --tls_hostname causes the request to be malformed. And removing this allows the connection.
the proxy is dropping the connection..
x_exception_id=internal_error
and the cs_host=- is missing the hostname.
z
zwass
09/06/2019, 5:32 PMSo it's solved by removing :443?
s
Sal
09/06/2019, 5:55 PMThat is correct.
z
zwass
09/06/2019, 5:58 PMNice, thank you for filling us in. Glad it's working!
s
Sal
09/06/2019, 6:28 PMtbh though, i'm not sure that is a good answer from them as this was in fact working with the :443 as i've 500+ offline assets in TLS..
but that is another story.