Srsly, not anyone?
Everyone have working Agent Acitve Checks with PSK on W2016?

Main question - do passive checks work, are they getting data ?
If yes, then it is something else conecting to agent from 192.168.1.1.
If no - then you can check and compare log files on both ends (server/proxy and agent).

Zabbix newbie reporting in.

I have some of the same issues with W2019 (Domain Controller).

Disabling passive-TLS results in no errors in logfile for active checks, but when I enable it, it gives me same error as stated in thread topic.

DebugLevel 4 also reveal this:
The server-side authentication level policy does not allow the user <user used for LDAP queries> from address <IP of firewall> to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

Other entries from log:
2022/01/27 10:40:05.024632 sending passive check response: '10.755340' to 'zabbix server IP'
2022/01/27 10:40:05.024937 sending passive check response: '1132.000000' to 'zabbix server IP'
2022/01/27 10:40:05.030113 connection established using TLSv1.3 TLS_CHACHA20_POLY1305_SHA256


Re-enable passive-TLS:

2022/01/27 10:50:11.187730 [101] no active checks on server [10.100.80.48:10051]: connection of type "TLS with PSK" is not allowed for host "domain controller"
2022/01/27 10:50:11.187730 [101] End of refreshActiveChecks() from [zabbix server IP:10051]



My config file looks like this:

##### Passive checks related

Server=zabbix server IP
# ListenPort=10050

##### Active checks related

ServerActive=zabbix server IP
Hostname=domain controller

# HostMetadata=

############ ADVANCED PARAMETERS #################

Include=C:\Program Files\Zabbix Agent 2\zabbix_agent2.d\
ControlSocket=\\.\pipe\agent.sock

DebugLevel=4

####### TLS-RELATED PARAMETERS #######

### Option: TLSConnect
# How the agent should connect to server or proxy. Used for active checks.
TLSConnect=psk

### Option: TLSAccept
# What incoming connections to accept.
TLSAccept=psk

TLSPSKIdentity=PSKX
TLSPSKFile=C:\Program Files\Zabbix Agent 2\psk.key

Hosts config and encryption tab, is everything ok there? Connection from host allowed with encryption?

Is the host configured in the Zabbix frontend to use the same PSK and to only accept encrypted data?

Both the client and server have to be configured for encryption and must also agree on the same key name and value.

Sent from my BBE100-5 using Tapatalk

Yep, host is configured with correct IP and Agent ifc. PSK is selected on both encryption directions. See attached image.

Seems like passive encryption is a no-go - cause non-encrypted passive works fine, active encryption works fine.

That's interesting. I've never seen encryption work with just one or the other (active/passive): it's always either worked on not worked. If you click on the PSK button at the bottom of the page: are the values there correct for the key you're using?

Any difference if you change the file name in your Windows config file from .key to .psk?

What user is running the Zabbix agent in Windows? Ideally, it should be the SYSTEM account.

Sorry for my late response.

Yeah, pretty sure the PSK is the same - I've copy-pasted it back and forth so many times now, but did it again just to be sure - and then I renamed the .key to .psk as you mentioned.
The service is running on the local system account.

Restarted the service now, and about 10 minutes after that, the "cannot process incoming connection: cannot accept unencrypted connection" logging appears :/

I realize this is an ancient thread but was running into a situation where the encrypted connection was working, but it was throwing the "unencrypted connections are not allowed" errors in the agent log, and the host was showing as 'Unavailable'. Though data was being sent.

Just an aesthetic problem but turns out you can select "No encryption" on the host even when you have encryption set up. Once you click on "PSK" the errors go away.