Title
#kolide
s

Sal

09/05/2019, 11:20 PM
@zwass How would you like to troubleshoot?
zwass

zwass

09/05/2019, 11:22 PM
Can you please turn on
--verbose --tls_dump
on the osquery daemon and then provide the logs?
s

Sal

09/05/2019, 11:23 PM
sure, i already have that.
11:23 PM
paste it here?
zwass

zwass

09/05/2019, 11:23 PM
I'm looking at the error you posted in https://osquery.slack.com/archives/C08V7KTJB/p1567720952082100 and I suspect that this host is not able to connect to that host.
11:23 PM
You said that host is on a different network... I assume that is why the first host can connect and the new host cannot.
s

Sal

09/05/2019, 11:24 PM
correct, this host is on lets say our corp network..
11:25 PM
dev and vpn all connect fine
11:25 PM
which is leading me to believe this is a network issue.
11:25 PM
but wanted to check here first.
11:26 PM
however, the clients are different.
11:26 PM
dev are lunix, vpn macOS and corp windows/macOS
11:26 PM
just logginf back in
zwass

zwass

09/05/2019, 11:26 PM
Almost certainly a network issue. Can you hit this endpoint via curl on this host?
s

Sal

09/05/2019, 11:32 PM
opps
11:33 PM
i get a status code 200 from the site
11:49 PM
cannot add a snippet so sorry about this..
11:50 PM
zwass

zwass

09/05/2019, 11:54 PM
"An existing connection was forcibly closed by the remote host" is not an error that I have seen before, but it still looks like network issues.
s

Sal

09/05/2019, 11:56 PM
Agreed. The tls service shouldn’t need any special network ports open other that 443 from the clients tight?
zwass

zwass

09/05/2019, 11:57 PM
No it should not
s

Sal

09/05/2019, 11:58 PM
Must be a firewall or proxy issue then. Appreciate the help Zach.
s

seph

09/06/2019, 12:26 AM
The GRPC connection doesn’t always go through proxies, right? So if there’s a any weird MitM firewalls there might be issues?
zwass

zwass

09/06/2019, 12:27 AM
Is this Launcher or plain osquery?
s

seph

09/06/2019, 12:27 AM
Oh,good point. The comment above implies osquery
s

Sal

09/06/2019, 12:31 AM
plain osquery
zwass

zwass

09/06/2019, 12:31 AM
In that case we can ignore any concerns about gRPC.
s

Sal

09/06/2019, 12:33 AM
sounds good. I'll let you all know how it works out with the network team.. this is always fun.
4:14 PM
@zwass So spoke with the networks team. They note that due to me having :443 at the end the --tls_hostname causes the request to be malformed. And removing this allows the connection.
4:57 PM
the proxy is dropping the connection..
4:57 PM
x_exception_id=internal_error
5:05 PM
and the cs_host=- is missing the hostname.
zwass

zwass

09/06/2019, 5:32 PM
So it's solved by removing :443?
s

Sal

09/06/2019, 5:55 PM
That is correct.
zwass

zwass

09/06/2019, 5:58 PM
Nice, thank you for filling us in. Glad it's working!
s

Sal

09/06/2019, 6:28 PM
tbh though, i'm not sure that is a good answer from them as this was in fact working with the :443 as i've 500+ offline assets in TLS..
6:28 PM
but that is another story.