Deployment Architecture

When adding a search peer I get error "In handler 'distsearch-peer': Error while sending public key to search peer: No route to host"

rob_lamb
Explorer

I have two Linux VMs running on my Windows 7 box. I'm trying to configure one as a search peer and one as the search head. Inside their Linux environments, each box can ping the other on a VM internal network.

On the search head, I am trying to add a new search peer.
For the "Peer" field, I've typed in the search peer's IP address, with ":8089" appended.

For "Authentication" I've tried both an admin account on the search peer, as well as the Splunk admin account credentials for the search peer.

No matter what I try, I get the error in the question above. Any help would be appreciated.

0 Karma
1 Solution

Jeremiah
Motivator

It sounds like you have connectivity between hosts, but you might want to check that you can initiate a TCP connection between the two. No route to host implies that your search head doesn't know how to reach your search peer on the network. On the search head are you able to connect to the remote port of the indexer?

 telnet <indexer ip> 8089

or

 nc -v <indexer ip> 8089

If the connection fails, you have a problem with connectivity between the VMs and you might need to disable firewalling or make some adjustments to the network config for your VMs/Host.

If the connection works, then your problem is higher up the stack. Does each VM have a local hostname? When you add the peer by IP, it may be responding back with its hostname, and the search head may try and connect to that (or vice-versa). Try creating entries in the /etc/hosts file on each server so that the VMs are resolvable by name.

Also, it doesn't sound like the right error, but make sure you reset the default admin password on each splunk instance. Otherwise remote connectivity to the API port (8089) using admin is disabled.

View solution in original post

Jeremiah
Motivator

It sounds like you have connectivity between hosts, but you might want to check that you can initiate a TCP connection between the two. No route to host implies that your search head doesn't know how to reach your search peer on the network. On the search head are you able to connect to the remote port of the indexer?

 telnet <indexer ip> 8089

or

 nc -v <indexer ip> 8089

If the connection fails, you have a problem with connectivity between the VMs and you might need to disable firewalling or make some adjustments to the network config for your VMs/Host.

If the connection works, then your problem is higher up the stack. Does each VM have a local hostname? When you add the peer by IP, it may be responding back with its hostname, and the search head may try and connect to that (or vice-versa). Try creating entries in the /etc/hosts file on each server so that the VMs are resolvable by name.

Also, it doesn't sound like the right error, but make sure you reset the default admin password on each splunk instance. Otherwise remote connectivity to the API port (8089) using admin is disabled.

rob_lamb
Explorer

I tried telnet and it failed. This made me realize that I hadn't opened port 8089. I did that, and I can now add the search peer. Thank you for the assistance.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...