search

centreon / centreon-plugins

Collection of standard plugins to discover and gather cloud-to-edge metrics and status across your whole IT infrastructure.
https://www.centreon.com
Apache License 2.0
308 stars 270 forks source link

[network::paloalto::ssh::plugin] mode=ipsec - UNKNOWN: Cannot find xml response #2311

Open joschi99 opened 3 years ago

joschi99 commented 3 years ago

Plugins 20201008

 ./centreon_plugins.pl --plugin=network::paloalto::ssh::plugin --mode=ipsec --hostname=x.x.x.x --ssh-username=user --ssh-password='password' --ssh-backend=libssh
UNKNOWN: Cannot find xml response
garnier-quentin commented 3 years ago

Could you provide the response with --debug option ?

joschi99 commented 3 years ago 
./centreon_plugins.pl --plugin=network::paloalto::ssh::plugin --mode=ipsec --hostname=x.x.x.x --ssh-username=user--ssh-password=password --ssh-backend=libssh --debug
UNKNOWN: Cannot find xml response

Number of failed attempts since last successful login: 0

command response:

Number of failed attempts since last successful login: 0
garnier-quentin commented 3 years ago

Could you connect on your palo alto and execute following commands ?

set cli op-command-xml-output on
show vpn ike-sa
show vpn ipsec-sa
show vpn flow
joschi99 commented 3 years ago 
ssh -l USERNAME x.x.x.x
Password:
Last login: Sun Nov  8 08:38:26 2020 from x.x.x.x

Number of failed attempts since last successful login: 0

> set cli op-command-xml-output on
> show vpn ike-sa

> show vpn ipsec-sa

<response status="success"><result>
  <ntun>0</ntun>
  <entries/>
</result></response>
> show vpn flow

<response status="success"><result>
  <total>2</total>
  <num_ipsec>0</num_ipsec>
  <IPSec/>
  <dp>dp0</dp>
  <num_sslvpn>2</num_sslvpn>
</result></response>
> exit
Connection to x.x.x.x closed.
garnier-quentin commented 3 years ago

It comes from command: show vpn ike-sa. Nothing is returned. That plugin check ipsec tunnels. And you have sslvpn tunnel only.

garnier-quentin commented 3 years ago

If you have the command to check sslvpn tunnel, maybe i could do something.

joschi99 commented 2 years ago

Hi @garnier-quentin, need to ask a Paloalto specialist for them. Could you fix the mode to ignore ike-sa if nothing returned?

garnier-quentin commented 2 years ago

If i ignore the empty command response, you'll have an output:

OK: | 'tunnels.ipsec.total.count'=0

Is it ok ?

joschi99 commented 2 years ago

I think this could be a good idea to solve the problem

garnier-quentin commented 2 years ago

What do you mean by 'solve the problem' ?

joschi99 commented 2 years ago

When show vpn ike-sa returns empty at the moment the plugin will give: UNKNOWN: Cannot find xml response

This should be the main problem, so we need a correct output. Did you agree?

fmattesct commented 8 months ago

Hi, Thanks for your interest in Centreon. Requests for new features and enhancements must be suggested here. Troubleshooting and questions must now be asked here (cf our new issue template.

Thank you for your understanding.

joschi99 commented 5 months ago

Hi @fmattesct, I don't think that this is a new feature or enhancement, but this change will resolve a problem. The check will not work correctly and returns "UNKNOWN: Cannot find xml response", so it should be a fix in my opinion and not a enhancement. This error will raise on every Paloalto depending on theis VPN configuration.

Did you agree with me, please let me know?

joschi99 commented 5 months ago

are there some news on this bug? Is open since more then 3 years. How we can help you?

fmattesct commented 3 months ago

Hi, ticket is created and priorized in our dev backlog.