Ad Widget

**kaspars.mednis** · 04-01-2018, 13:55

Hi !

Is this the proxy log ?

Two things must be configured for encryption to work
- Proxy must accept encrypted connections (configuration->hosts->select host->encryption)
- Encryption must be enabled and configured in zabbix_agentd.conf (zabbix agent restart needed after config changes.

below are needed config settings on agent side for PSK encryption to work

Code:

TLSPSKIdentity=yourPSKidentity
TLSPSKFile=yourPSKfile
TLSConnect=psk   
TLSAccept=psk

Regards,
Kaspars

**monarch684** · 04-01-2018, 16:13

Attached are my log files and conf files. I left debug on overnight on accident. Can you see if I mistyped something or completely fubared something.

Just an FYI, this is running in a test environment. I chose not to scrub the usual sensitive data as it is going to change in the production environment.

Attached Files

**kaspars.mednis** · 04-01-2018, 16:24

you have the following entry in zabbix_agentd.win.conf.txt

Code:

# TLSConnect=unencrypted

because if that active agent is sending unencrypted data to zabbix proxy, and zabbix proxy has the following entry in log

failed to accept an incoming connection: from 10.109.3.56: unencrypted connections are not allowed

set it to psk and restart your agent

Code:

TLSConnect=psk

Regards,
Kaspars

**monarch684** · 04-01-2018, 16:34

I made the change but still nothing. This is actually from the agent log.

304:20180104:083237.196 failed to accept an incoming connection: from 10.109.3.56: unencrypted connections are not allowed

**kaspars.mednis** · 04-01-2018, 16:38

if this is agent log, zabbix proxy is trying to connect to agent with unencrypted connection.

Have you set encryption settings in host configuration on web interface ? Also remember, it takes time for proxy to get config changes from Zabbix server

Regards,
Kaspars

**monarch684** · 04-01-2018, 16:48

Yes, encryption is turned on everywhere I could find.

For the host:

Connections to host - PSK
Connections from host - PSK
PSK Identity is Set
PSK is Set

For the proxy: PASSIVE

Connections to proxy PSK
Connections from proxy is grayed out. I have PSK checked but I think it might be inactive.
PSK Identity is Set
PSK is Set

All these settings are what they were yesterday when I left work for the day.

**kaspars.mednis** · 04-01-2018, 17:05

Connections from proxy is grayed out because it is PASSIVE proxy and not connecting to Zabbix Server

What is ProxyConfigFrequency= on Zabbix_server_conf ?
Are there any errors regarding proxy_config update on zabbix_server_log ?

Zabbix passive proxies wait for all config data to be sent from Zabbix server, maybe there is some issue ? The Zabbix proxy may just "don't know" about the encryption settings for the host.

Regards
Kaspars

**monarch684** · 04-01-2018, 17:18

Are there any errors regarding proxy_config update on zabbix_server_log ?

I am getting this error in the zabbix_server.log

cannot connect to proxy "Zabbix Proxy": TCP susscessful, cannot establish TLS to [IP ADDRESS]: connection closed by peer

What is ProxyConfigFrequency= on Zabbix_server_conf ?

ProxyConfigFrequency=300

I have a short amount of time just for testing purposes.

**kaspars.mednis** · 04-01-2018, 17:23

So there is problem with configuration update from ZabbixServer to ZabbixProxy, you must fix it first.

cannot connect to proxy "Zabbix Proxy": TCP susscessful, cannot establish TLS to [IP ADDRESS]: connection closed by peer

does the file TLSPSKFile=/etc/zabbix/zabbix_psk.psk persist on Zabbix proxy ?

Are the PSK identity and key correct in ZabbixServer->Administrtaion->proxies->thatProxy->encryption tab ? (they must match parameters defined in zabbix_proxy.conf

Regards
Kaspars

**monarch684** · 04-01-2018, 17:40

I did have one glaring issue. What was in the zabbix_psk.psk did not match anything. I have corrected that and rebooted the proxy. Is that something that I have to wait to see if I have corrected the issue or should it work almost instantly?

**kaspars.mednis** · 04-01-2018, 17:47

It must get new config after ProxyConfigFrequency=300 (5 minutes)

Just check the Zabbix Server / Proxy Logs.

After that if the host agent does not start to work, we can troubleshoot that.

Regards,
Kaspars

**monarch684** · 04-01-2018, 18:02

Still same error message

**monarch684** · 04-01-2018, 23:57

I just got through testing the encryption from server to agent, no proxy in the middle. Everything works as it should. That leads me to believe I have the proxy setup incorrectly or the server and agent going to the proxy setup incorrectly.

**monarch684** · 08-01-2018, 17:48

Does anyone have an idea of what might be going on here?

Ad Widget

Agent Not Allowing Connections

Agent Not Allowing Connections

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment