Security

port connectivity issue "Connection refused"

seema2502
Explorer

Hi Team,

We are facing port connectivity issue since 5th Sep 2014 between indexer and forwarder :-

$ telnet forwarder IP port
Trying forwarder IP...
telnet: connect to address forwarder IP: Connection refused
telnet: Unable to connect to remote host: Connection refused

It is throwing same error while checking connection from forwarder to indexer :-

$ telnet indexer port
Trying indexer IP...
telnet: connect to address indexer IP: Connection refused
telnet: Unable to connect to remote host: Connection refused

Please suggest.

Thanks

Tags (1)
0 Karma

seema2502
Explorer

Hi Ayn,

Please refer below link for what changed on September 5th.
http://answers.splunk.com/answers/169028/licensing-window-alerts-on-my-indexer-caused-splun.html

0 Karma

grijhwani
Motivator

Not wishing to seem dismissive, but that does not sound like a fault within the Splunk realm. It is a network infrastructure problem of some sort, but beyond that any assistance that might be suggested is of a network and systems administration nature, and requires a lot more knowledge of your infrastructure as a whole.

Your example commands and responses indicate a Unix type platform, and if that is a common Linux distribution, then the command

sudo netstat -pant | grep -i listen

on the indexer and on the forwarder should at least give you some indication of the port statuses on each. Really, though, the topic of network fault disagnosis is well outside this forum. Provided Splunk is running all other questions really fall to matters of administration like changes of IP addresses, on-server firewalling - iptables - and network firewalls or faults. You would be better served treating it, in the first instance, as a generic service connection fault and taking your question to a more appropriate board.

seema2502
Explorer

Hi grijhwani,
We also thought that this issue is related to network but we contacted network team they have responded like :-
"Connection refused" means that destination server is not listening on particular port. This is not a NW/FW issue. Application that would normaly respond on those ports is not running or malfunctioning."

when we tried the mentioned command sudo netstat -pant | grep -i listen we received "xyz is not in the sudoers file. This incident will be reported."

Please suggest.

0 Karma

grijhwani
Motivator

I was assuming that you as you were attempting to administer Splunk that you were also an administrator of the system running Splunk. If you are not then you need to hand the problem to whoever is, since they should have the experience and the authority needed on the servers to investigate it.

As for the network group's reply, I find that tends to be the stock answer from any network admin until you are waving empirical evidence under his nose.

0 Karma

dchima
Path Finder

hi grijhwani yes i am the adminstrator for our splunk sandbox and do have command line access as well.

The System Admin who manages the linux VM that will push into my Splunk instance said he was seeing firewall issues.

On my splunk instance, do i need to start any listeners or anything like that on ports 8088 and 9997?

0 Karma

Ayn
Legend

Well uh...firewall problems? It's really impossible to say anything more without more details. What happened on September 5th that caused this issue to start occurring?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...