Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
0
Helpful
1
Replies

What does "nrconns" really tell me?

bmunroe
Level 1
Level 1

‎11-28-2001 03:47 PM - edited ‎03-08-2019 09:17 PM

Most of the explanations found on CCO state something along the lines of

...use the nrconns command to ensure that communications are up and running between the Director and all Sensors.

The two basic outputs for this command (minus Host ID, IP etc.) are as follows:

45000 1 [Established] sto:0004 with Version 1

45000 1 [SynSent] sto:5000 syn NOT rcvd!

Background:

I am unable to add the Sensor to the Director using nrConfigure. The process always times out near the end of the wizard. I am attempting to do this from a remote site over a VPN tunnel (PIX to PIX). I can ping the Sensor from the Director (& vice-versa), I can telnet from the Director to the Sensor, and I can FTP from the Director to the Sensor. Any thoughts on what the specific issue might be are encouraged. In the meantime I am looking at the things that do not seem right. In this case, when I issue the nrconns command I get "syn NOT rcvd!".

The Questions: What exactly is "syn NOT rcvd!" indicative of?

Does "syn Not rcvd!" indicate only that the Sensor has not been added to the Director?

Does it indicate that the postoffice protocol (45000) is not routing successfully between the Sensor and Director?

Does it tell me anything else?

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎11-28-2001 09:26 PM

"syn NOT rcvd" tells you that the machine on which nrconns was run, has sent a SYN packet to initiate the connection, but has not received a corresponding SYN packet from the machine it is trying to comunicate with.

As root on the sensor execute:

snoop -d iprb0 udp

example:

snoop -d iprb0 10.1.1.1 20.2.2.2 udp

NOTE: If using the 4210 sensor replace iprb0 with iprb1

You should see UDP packets from port 45000 on the sensor going to port 45000 on the director.

Now use the Add Host on nrConfigure to add the sensor.

You should now start seeing UDP packets from port 45000 on the director going to port 45000 on the sensor.

If you do not see the packets coming from the sensor then the services on the sensor are not started, or the ip addresses are incorrect in your command or configuration.

If you do not see the packets coming from the director then the services on the director are not started, or the ip addresses are incorrect in your command or configuration, or the PIX Firewalls have not been properly configured to allow UDP port 45000 traffic through the VPN Tunnel.

If you see the UDP packets from the director, but they are fragmented, then your VPN tunnel is fragmenting the UDP packets and this could cause problems with the postoffice communication.

NOTE: If using NAT then be sure that the proper addresses are being used when runnning sysconfig-sensor and the Add Host wizard in nrConfigure.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents