Related to:

CHECK_NRPE: Error, CHECK_NRPE STATE, CHECK_NRPE: Can not connect

Problem

OP5 Monitor is unable to connect to an NSClient++ agent running on a Windows OS.

Possible Cause(s)

NSCP Service is not running on Windows server being monitored

This may be indicated by the following error on the OP5 monitor:

# /opt/plugins/check_nrpe -H 192.168.10.157 -2 -p 5666
CHECK_NRPE STATE CRITICAL: Socket timeout after 10 seconds.

Windows firewall is not open on port 5666

This may also be indicated by the following error on the OP5 monitor:

# /opt/plugins/check_nrpe -H 192.168.10.157 -2 -p 5666
CHECK_NRPE STATE CRITICAL: Socket timeout after 10 seconds.

Incorrect Allowed Host configuration directive

This may be indicated by the following error on the OP5 monitor:

# /opt/plugins/check_nrpe -H 192.168.10.157 -2 -p 5666
CHECK_NRPE: Error - Could not connect to 192.168.10.157. Check system logs on 192.168.10.157

Incorrect SSL configuration

This may be indicated by the following error on the OP5 monitor:

# /opt/plugins/check_nrpe -H 192.168.10.157 -2 -p 5666
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.10.157: 1

Possible Solution(s)

NSCP Service is not running on Windows server being monitored.

In a PowerShell terminal on the Windows server, check nscp service status

PS C:\> Get-Service nscp

Status Name DisplayName
------ ---- -----------
Stopped nscp NSClient++ Monitoring Agent

If nscp is stopped, restart it.

PS C:\> Restart-Service nscp
PS C:\> Get-Service nscp

Status Name DisplayName
------ ---- -----------
Running nscp NSClient++ Monitoring Agent

Windows firewall is not open on port 5666

The NSClient installation process should have put a firewall rule in place to allow connections on port 5666.

In a PowerShell terminal, ensure that NSClient++ connections are enabled.

PS C:\> Enable-NetFirewallRule -DisplayName "NSClient++ Monitoring Agent"

Incorrect Allowed Host configuration directive

If the NSCP service is running, then the likely cause of the Could not connect to error is the Allowed Host configuration directive. This can be verified by checking the nsclient.log file for the 'Rejected connection from x.x.x.x' error. (where x.x.x.x is the address on the monitoring host)

Open nsclient.log in a text editor, or to check the log in real time (similar to tail -f on Linux) use the PowerShell command:

PS C:\Program Files\NSClient++> Get-Content nsclient.log -Wait

Example error message:

2023-05-10 16:58:05: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 172.16.1.149

Allowed host setting

Settings could be in either of:

• a local ini file,
• the Windows Registry
• a remote HTTP server.

In PowerShell window, check Allowed Hosts setting

PS C:\Program Files\NSClient++> ./nscp.exe settings --list --path /settings/default

/settings/default.allowed_hosts=127.0.0.1

If the OP5 monitor address is not in allowed hosts, add it via a PowerShell terminal

PS C:\Program Files\NSClient++> ./nscp.exe settings --path /settings/default --key "allowed hosts" --set "127.0.0.1,172.16.1.0/24"

If either of the below errors are encountered, in means that configuration is on a centralised HTTP server.

E   settings Cannot save settings over HTTP
    c:\source\master\include\settings/impl/settings_http.hpp:348
Cannot save settings over HTTP

Or

E   settings Failed to find cached settings 

Check where settings are stored

PS C:\Program Files\NSClient++> nscp.exe settings

Example output:

Current settings instance loaded:
INI settings: (ini://C:/Program Files//NSClient++/op5.ini, C:/Program Files//NSClient++/op5.ini)

Or:

Current settings instance loaded:
HTTP settings: (http://172.16.1.129/nsclient/op5.ini, 172.16.1.129/nsclient/op5.ini)
INI settings: (ini://C:\Program Files\NSClient++/cache\op5.ini, C:\Program Files\NSClient++/cache\op5.ini)

Alternatively, check the boot.ini files for a directive indicating where configuration settings are stored.

boot.ini below shows that the registry is where default settings are stored.

[settings]
1 = registry://HKEY_LOCAL_MACHINE/software/NSClient++

;1=http://172.16.1.129/nsclient/op5.ini
;2=ini://C:/Program Files//NSClient++/op5.ini

If settings are stored on an HTTP server, then the ini file on that server will need to be edited. (172.16.1.129/nsclient/op5.ini in the example above).

Incorrect SSL configuration

On the Linux side, a 'Could not complete SSL handshake' error will normally mean that there is an issue with the certificate on the Windows server.

Check the nsclient.log for a  'Rejected connection' error message similar to below:

2023-05-10 16:58:05: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 172.16.1.149

In PowerShell window, check your NSClient certificate setting

PS C:\Program Files\NSClient++> ./nscp.exe settings --list --path /settings/NRPE

/settings/NRPE/server.dh=C:\Program Files\NSClient++\security\nrpe_dh_2048.pem

NSClient certificate issues are dealt with in the related article OP5 Monitor - How to solve the problem "CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with <IP>".

Related Articles

• OP5 Monitor - How to solve the problem "CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with <IP>"
• OP5 Monitor - Configure NSClient++ from the Windows command prompt
• OP5 Monitor - How to configure NSClient++ in the Windows Registry

If you need further help:

• Please contact our support team via the chat service box on any of our websites or raise a support request.
  
• Make sure you provide us with:
  • Background of the issue or request.
  • Use cases, requirements, business impact, etc.
  • Encountered error messages.
  • Log files or diagnostic file
  • Screenshots.
  • And other important information relevant to your inquiry.