Apologize if I don't understand fully.'

It sounds like you have zabbix server on the inside of your firewall, and active agent on there outside, and trying to get your active agent to connect through your firewall to zabbix server. I hope I understood properly.

You might have an issue if NAT was set up in a way that forces zabbix to see the incoming connections from your agents as all the same IP address. If you have access to the firewall a packet capture is usually helpful. Zabbix server running on linux can also have 'tcpdump' program installed which you can use to see if connections are actually making it to your server, or simply dropped by the firewall.

Also, you need to be sure that the host ip interfaces set up in zabbix server match what the clients are trying to connect in as.

I hope some of that helps.

Agent Zabbix on NAT/Firewall

Hello, thank you very much, I checked this and for That reason I think I need some information on, configuring Zabbix agent or on the same server for Zabbix configuration between FW and Nat

I add diagram, please What additional or different configuration takes place at each end ?.

Greetings and thank you.

So what ip address does you 90.10.10.2 client connect to for active check?

Does the zabbix server get a NAT address, or do the clients get a NAT address ... or both?

It might also be important to know which side (if both maybe) are masqueraded in a way that hides many hosts behind a single IP address ... there are many ways to use NAT.

At the end of the day, you need to be sure what address is used to connect form server to client, and then also from client to server.

You will need to figure out precisely how each side sees the other side. If you are using active checks, it might be helpful to set the zabbix agent on the zabbix server to permit connections from anyone (see Server= parameter) and then use zabbix_get from the client to probe items from the master. That is intended only to help troubleshot to make sure that your connections work as expected across the firewall. It may also be helpful to run tcpdump on zabbix server to make certain the IP address you are expecting is trying to connect.

The zabbix client and server configuration on each side is usually pretty easy ... it kind of sounds like you either have a blockage at the firewall or perhaps using the worn IP addresses at each side for communication from client to server.

Sorry I can't be more specific ... debugging NAT and firewall configurations can be tricky.

Agent Zabbix on NAT/Firewall

Hello good, effectively served Zabbix has a NAT address assigned by the same FW.

It's the same FW makes NAT and sends data in both directions enabling the port 10050 and 10051 so you can make the connection.

The configuration of the local agent on each server I have made in this way (zabbix_agent.conf).
LogFile=c:\zabbix\zabbix_agentd.log
Server=130.26.45.1
ServerActive=127.0.0.1
Hostname=LAB_SERVER
ListenIP=130.36.45.6
The configuration of Zabbix server hand I have done so I attached.
Are there any additional settings I need? . I do not understand that it refers to active check, do you could specify a ?
A greeting.

Agent Zabbix on NAT/Firewall

Server Zabbix

Let me see if I understand....
Your zabbix server is 90.10.10.2
Your agent is 130.36.45.6
On the agent's network, the NAT address of 130.36.45.1 is the zabbix server
You are trying to configure zabbix server to use passive zabbix agent connection so that zabbix server connects to the agent to pull data.

Please let me know if that summary is correct.

Assuming that is correct, the agent example and screen should should work for zabbix server passive checks. The server Host configuration specifies to connect to 130.36.45.6, and the agent configuration (Server=) defines what IP address the zabbix server is coming in as.

Active checks (where agent connects to zabbix server) will not work. Your ServerActive= configuration is bad. ServerActive should = the zabbix server IP address which is 130.36.45.1.

I hope this helps some. If my assumptions are correct, try to use zabbix_get on the zabbix server to probe some simple data from the client like agent.hostname. That should help with passive checks. Active check testing would be more tricky; you need to be able to test that your firewall(s) are allowing traffic to go from the agent machine to there server.

Agent Zabbix on NAT/Firewall

Hi, I made another setting after reading your information I think this is correct.

LogFile=c:\zabbix\zabbix_agentd.log
Server=130.26.45.1
ServerActive=130.26.45.1
Hostname=LAB_SERVER
ListenIP=130.36.45.6
ListenPort=10051
EnableRemoteCommands=1
DebugLevel=3
Timeout=3

I reviewed the log.

7640:20150818:113313.720 Starting Zabbix Agent [LAB_SERVER]. Zabbix 2.0.6 (revision 35155).
7548:20150818:113313.720 agent #1 started[listener]
7120:20150818:113313.720 agent #0 started [collector]
2500:20150818:113313.720 agent #2 started[listener]
7692:20150818:113313.720 agent #4 started [active checks]
5416:20150818:113313.720 agent #3 started[listener]

But it does not establish the connection giving the error.

Get value from agent failed: cannot connect to [[130.36.45.6]:10050]: [111] Connection refused

Now I do not understand what is the error that I have and that, if I think I've properly configured.
Greetings and thank you

At least from what I can gather from your description and configuration files, it looks like the configuration on the agent is correct.

I would possibly suspect an issue with your firewall.

On win 2012 agent machine, make sure your local firewall to set properly. On my win 2012 servers, I use the option to allow all incoming and outgoing traffic by process (so for example I don't set specific ports).

On your zabbix server, go to command line and try to run:
zabbix_get --host 130.36.45.6 --key agent.hostname

If that does not come back with the agent server's host name, then you will need to troubleshoot your firewall and windows service to make sure connections are getting through.

Some firewalls will print packet traces on hosts for troubleshooting. If you have a windows server you can install software on, you can get wireshark for free, install it to your windows server, and then capture all traffic on port 10050 and see if any packet make it.

Agent Zabbix on NAT/Firewall

Hello, thank you very much for your help, I've solved the problem, and is already working effectively, configuring Zabbix agents are well and was a policy of Fw that must change so that it can perform.

Greetings and thank you