centreon-plugins icon indicating copy to clipboard operation
centreon-plugins copied to clipboard
verified publisher icon centreon

[network::paloalto::ssh::plugin] mode=ipsec - UNKNOWN: Cannot find xml response

Open joschi99 opened this issue 5 years ago • 19 comments

Plugins 20201008

 ./centreon_plugins.pl --plugin=network::paloalto::ssh::plugin --mode=ipsec --hostname=x.x.x.x --ssh-username=user --ssh-password='password' --ssh-backend=libssh
UNKNOWN: Cannot find xml response

joschi99 avatar Oct 30 '20 14:10 joschi99

Could you provide the response with --debug option ?

garnier-quentin avatar Oct 30 '20 14:10 garnier-quentin 

./centreon_plugins.pl --plugin=network::paloalto::ssh::plugin --mode=ipsec --hostname=x.x.x.x --ssh-username=user--ssh-password=password --ssh-backend=libssh --debug
UNKNOWN: Cannot find xml response




Number of failed attempts since last successful login: 0



command response:



Number of failed attempts since last successful login: 0

joschi99 avatar Oct 31 '20 19:10 joschi99

Could you connect on your palo alto and execute following commands ?

set cli op-command-xml-output on
show vpn ike-sa
show vpn ipsec-sa
show vpn flow

garnier-quentin avatar Nov 06 '20 11:11 garnier-quentin 

ssh -l USERNAME x.x.x.x
Password:
Last login: Sun Nov  8 08:38:26 2020 from x.x.x.x



Number of failed attempts since last successful login: 0


> set cli op-command-xml-output on
> show vpn ike-sa

> show vpn ipsec-sa

<response status="success"><result>
  <ntun>0</ntun>
  <entries/>
</result></response>
> show vpn flow

<response status="success"><result>
  <total>2</total>
  <num_ipsec>0</num_ipsec>
  <IPSec/>
  <dp>dp0</dp>
  <num_sslvpn>2</num_sslvpn>
</result></response>
> exit
Connection to x.x.x.x closed.

joschi99 avatar Nov 08 '20 19:11 joschi99

It comes from command: show vpn ike-sa. Nothing is returned. That plugin check ipsec tunnels. And you have sslvpn tunnel only.

garnier-quentin avatar Dec 07 '20 13:12 garnier-quentin

If you have the command to check sslvpn tunnel, maybe i could do something.

garnier-quentin avatar Dec 30 '20 14:12 garnier-quentin

Hi @garnier-quentin, need to ask a Paloalto specialist for them. Could you fix the mode to ignore ike-sa if nothing returned?

joschi99 avatar Nov 13 '21 19:11 joschi99

If i ignore the empty command response, you'll have an output:

OK: | 'tunnels.ipsec.total.count'=0

Is it ok ?

garnier-quentin avatar Nov 16 '21 15:11 garnier-quentin

I think this could be a good idea to solve the problem

joschi99 avatar Nov 16 '21 17:11 joschi99

What do you mean by 'solve the problem' ?

garnier-quentin avatar Dec 08 '21 14:12 garnier-quentin

When show vpn ike-sa returns empty at the moment the plugin will give: UNKNOWN: Cannot find xml response

This should be the main problem, so we need a correct output. Did you agree?

joschi99 avatar Dec 08 '21 16:12 joschi99

Hi, Thanks for your interest in Centreon. Requests for new features and enhancements must be suggested here. Troubleshooting and questions must now be asked here (cf our new issue template.

Thank you for your understanding.

fmattesct avatar Oct 31 '23 15:10 fmattesct

Hi @fmattesct, I don't think that this is a new feature or enhancement, but this change will resolve a problem. The check will not work correctly and returns "UNKNOWN: Cannot find xml response", so it should be a fix in my opinion and not a enhancement. This error will raise on every Paloalto depending on theis VPN configuration.

Did you agree with me, please let me know?

joschi99 avatar Jan 26 '24 05:01 joschi99

are there some news on this bug? Is open since more then 3 years. How we can help you?

joschi99 avatar Feb 05 '24 10:02 joschi99

Hi, ticket is created and priorized in our dev backlog.

fmattesct avatar Mar 14 '24 08:03 fmattesct