nagios server networking glitch..?

[Patrick Friedel]

Andreas Ericsson wrote:

> Patrick Friedel wrote:
>
>>
>>  Standard Sarge Debian distro, not running any funny routing 
>> daemons.  netstat is, IIRC, completely ignorant of the new route. The 
>> default route sticks at .253, like it should, and no other entries in 
>> the netstat routing table.  None of the other hosts are affected, so 
>> it's not a global issue, it's usually highly specific to a single IP 
>> address. (the problem host, however, seems to rotate, it's not a 
>> single IP problem _that_ way.) 98% of my traffic goes through the 
>> intranet, only a small percentage goes out the internet link.  I 
>> _suspect_ it's something weird on the nagios monitor box, as my usual 
>> first reaction is to ping the dead host from my workstation, where it 
>> works fine, then have pings fail from the nagios box.  The only thing 
>> I can think of is that the monitor box gets an ICMP REDIRECTED packet 
>> from the intranet router for one of the internet monitored hosts and 
>> it sticks somehow.
>>
>
> This would, if it's what actually happens, be a kernel-bug, as 
> redirects are per target IP's.
>
  Yeah, I have very low faith in that, I'm kind of tapped for ideas on 
this one.  If I can't figure it out I'll just define a global event 
handler to ping it from another box (no, seriously, can _you_ see if 
it's down? kthx) to weed out the nuisance pages.

> If the nagios box is reachable from the internet somehow (apparently 
> it is, since you're checking things there and the possibility for 
> black IP-magic is nigh endless), some malicious person could also be 
> redirecting your traffic on purpose.
>
  Nah, the internet gateway is providing NAT for the nagios box, unless 
if I'm missing the thrust of your intent here.  I'm trying to think of 
Cisco tricks that could pull this off on the intranet gateway (psst: 
tell 199.242.227.113 that the route to 204.75.219.254 is through the 
linksys router over there! *gigglesnort* ), but that's reaching pretty 
far.  The only stuff I'm checking "outside" is the far side of our 
internet uplink and the external interfaces on a few of our machines.

>>  Ideas?
>>
>
> Add firewall rules that prevents sending packets through the internet 
> unless they're destined for the hosts on your DMZ, and add an iptables 
> rule to log all inbound ICMP-packets from the default gateway.
> iptables -I INPUT -p icmp -s gatewayIP -j LOG
> should do the trick. Then you can start debugging it properly.
>
> It might also help to run mtr (http://www.bitwizard.nl/mtr/) while 
> this is happening. mtr is available from just about any 
> apt-repository. It sends a lot of ICMP echo-requests with low TTL's 
> which is fairly useful when debugging misbehaving routers.
>
  Ooh, yeah, good ideas, I'd forgotten about mtr, and iptables should 
help me figure out what's happening, as I don't see any other logging 
happening, like an ARP storm or anything fun like that.

  Thanks for the help!



-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null