Can't connect Windows agent to Master

ShowMeYourSkil · April 30, 2022, 8:17am

Hello everyone, I would like to open up a new network and monitor the Windows servers there with agents that communicate directly to my master.

The networks are connected via a site to site tunnel. I can ping my master on the host and the port for Icinga is enabled on the server. However, I cannot connect to the master.

I went through the following steps until I got the error:

icinga2 pki ticket --cn server.agent.lan (on my master instance)
Set the Instance Name and the Ticket Number
Now Comes the error

Running command 'icinga2.exe pki save-cert --host "monitoring.test.de" --port "5665" --key "C:\ProgramData\icinga2\etc\icinga2\pki\server.agent.lan.key" --cert "C:\ProgramData\icinga2\etc\icinga2\pki\server.agent.lan.crt" --trustedcert "C:\Users\Administrator.ADMIN\AppData\Local\Temp\2\tmpAA37.tmp"' produced the following output:
information/cli: Retrieving X.509 certificate for 'monitoring.test.de:5665'.
critical/TcpSocket: Invalid socket: 10060, "A connection attempt failed because the remote station did not respond properly after a certain period of time, or the established connection was faulty because the connected host did not respond."
critical/pki: Cannot connect to host 'monitoring.test.de' on port '5665'
critical/cli: Failed to fetch certificate from host.

I hope you have a good tip for me, because I don’t know what to do anymore

moreamazingnick · April 30, 2022, 9:57am

use chrome on a windows maschine and connect to https://ip-of-icinga-master:5665
use chrome on a windows maschine and connect to https://monitoring.test.de:5665

if there is a certificate error just start typing thisisunsafe
if there you can reach a login promt icinga api is available, which is necessary talk to icinga-master
after that we will see if you can even reach icinga-master api through vpn

ShowMeYourSkil · April 30, 2022, 11:30am

Thank you for your support. I do not receive the web interface. A tracert showed that the hops end at my mx entry.

In the other network there is already an agent installed which communicates to the master on this server but the interface is not reachable either.

moreamazingnick · May 2, 2022, 6:32am

What do you mean with mx entry? Are you trying to connect to mail mail server?

What vpn do you use? You can setup client based rules, Maybe your other agent is allowed to access 5665 on icinga-master.

In order to get the certificate signed icinga-client has to be able to connect to icinga master on port 5665.
reach out to whomever set up your vpn to make this happen. i would also suggest to use ip based connection, so you dont have to setup a split dns for your vpn for monitoring.test.de and your connection is only routed through vpn

ShowMeYourSkil · May 2, 2022, 7:05am

Hello, thank you very much I’ll have to have a look. On the agent server the port is allowed. Also with the master IP a connection is unfortunately not possible. I will get back to you as soon as I know something new.

ShowMeYourSkil · May 4, 2022, 5:42pm

Hey @moreamazingnick ,

I am now ready for the host to ping the master.
I did the setup of the agent manually and was able to install it manually. The Icinga agent now says Running. However, the host status in icinga is still down.

Do you have any idea where I should look or what I can do now?

Best regards!

moreamazingnick · May 5, 2022, 1:07pm

you most likely need to allow icinga-master to ping your agent.(Firewall rule/ VPN / windows )

the check command for the host /hosttemplate decides if a host is down or not. you are most likely using check ping or hostalive, which is also check ping.

or you change the check command for the host/hosttemplate to dummy than the agent is always “up”