Deployment Architecture

Splunk forwarder connection failure, even though the ports are opened.

nadlurinadluri
Communicator

HI Team, I have opened the ports to the heavyforwarder from the UF. The ports are opened from UF to HF, but not the other way around. Getting the below message, when receiving the data.
curl: (56) Failure when receiving data from the peer

./splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
xx.x.xxx.xxx:8201

Messages in output of splunkd.log
Indexer uri xx.x.xxx.xxx:8201, client refCount=0, client=NULL
DEBUG TcpOutputProc - Found quarantined idx=xx.x.xxx.xxx:8201 . skipping over it.
DEBUG TcpOutputProc - Looking for indexer...
DEBUG TcpOutputProc - Cannot find any valid descriptors when looking for new indexer.
DEBUG TcpOutputProc - Connection not available. Waiting for connection ...
DEBUG TcpOutputProc - channel not registered yet

Can you please suggest , what might be the issue that I am not able to connect to the HF?

Also, should we have a two way connection b/w the UF and HF?

Tags (1)
0 Karma

diogofgm
SplunkTrust
SplunkTrust

validate that the connection is open. On the forwarder side do this

./splunk cmd openssl s_client -connect <ip>:<port> -showcerts

if the connection is good you should see connected and if you're using ssl you'll the HF cert details

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

nadlurinadluri
Communicator

The connection is successful got the below when ran the query you have provided on the connection part.
CONNECTED(00000003)
write:errno=104

0 Karma

diogofgm
SplunkTrust
SplunkTrust

8201 is your receiving port in the indexer?
can you post your inputs conf from the indexer?

/opt/splunk/bin/splunk btool inputs list --debug splunktcp | grep -v system/default

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

nadlurinadluri
Communicator

are you asking the inputs.conf from the indexer(which is HF in this case) or UF? why is that?

And yes the receiving port is 8201

[splunktcp://8201]
disabled=0

0 Karma

diogofgm
SplunkTrust
SplunkTrust

you should get something like this for a non ssl port:

CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1566926525
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

nadlurinadluri
Communicator

yes, you are absolutely right, this is what I got as output.

0 Karma

solarboyz1
Builder

write:errno=104

On Linux, 104 is ECONNRESET for "Connection reset by peer" – in other words, the connection was forcibly closed with a TCP RST packet, either sent out by the server or spoofed by an intermediary.

0 Karma

p_gurav
Champion

try restarting UF once. The HF configured but not active.

0 Karma

nadlurinadluri
Communicator

I did restart it good number of times, but no luck.

0 Karma

p_gurav
Champion

Could you share the inputs.conf file on HF?

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...