Hi,

I have 2 indexers

with the command I confirm that port 9997 is open.

In one of the two indexers all the incoming connections remain in the "SYN_RECV" state

In the other indexer some are in the "SYN_RECV" state and others are "ESTABLISHED"

The funny thing is that one ip range if connected and the other ip range does not

tcpdump is a relative test, because those in the "ESTABLISHED" state are not recognized by ping, telnet, or sniffer but deliver the logs to the indexer and the indexer to the search head and are displayed normally

The firewall area says that the policies are correct.

I am guaranteeing that port 9997 is in the listening state, is it a splunk configuration problem, or is it a transmission level network policy problem?

tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN
tcp 0 0 172.27.29.71:9997 192.168.71.13:49603 SYN_RECV
tcp 0 0 172.27.29.71:9997 192.168.71.13:49601 SYN_RECV
tcp 0 0 172.27.29.71:9997 192.168.70.17:59856 ESTABLISHED
tcp 315 0 172.27.29.71:9997 192.168.70.16:56015 ESTABLISHED
tcp 0 0 172.27.29.71:9997 192.168.71.12:57122 SYN_RECV
tcp 0 0 172.27.29.71:9997 192.168.70.14:51241 ESTABLISHED
tcp 0 0 172.27.29.71:9997 192.168.71.13:49605 SYN_RECV
tcp 0 0 172.27.29.71:9997 192.168.71.12:57119 SYN_RECV
tcp 3877460 0 172.27.29.71:9997 172.29.4.39:34311 ESTABLISHED
tcp 0 0 172.27.29.71:9997 192.168.71.13:49598 SYN_RECV
tcp 3211190 0 172.27.29.71:9997 192.168.70.12:55205 ESTABLISHED