zabbix_get -s xxx.xxx.xxx.xxx -k ipsec.discover
Closed this issue · 6 comments
When I run:
zabbix_get -s xxx.xxx.xxx.xxx -k ipsec.discover
It returns:
Traceback (most recent call last):
File "/usr/local/bin/zabbix-ipsec.py", line 116, in
ret = getPayload()
File "/usr/local/bin/zabbix-ipsec.py", line 97, in getPayload
data = parseConf().items()
File "/usr/local/bin/zabbix-ipsec.py", line 75, in parseConf
rightsubnet_tmp = rightsubnet_tmp[0].lstrip() #remore spaces
IndexError: list index out of range
I discovered the issue when checking the discovery rules for the host there is an error: :Value should be a JSON object.:
Running the script directly on the server /usr/local/bin/python2.7 /usr/local/bin/zabbix-ipsec.py
produces the same error as well.
What can I do to fix?
@krolingo probably this happen because there are no phase2 on some tunnel. Looks like the list rightsubnet_tmp is empty. Could share your ipsec.conf (please, wide sensitive data).
config setup
uniqueids = yes
conn bypasslan
leftsubnet = xxx.xxx.xxx.xxx/24
rightsubnet = xxx.xxx.xxx.xxx/24
authby = never
type = passthrough
auto = route
conn con-mobile
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = yes
mobike = no
rekey = yes
installpolicy = yes
type = transport
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = %any
right = %any
leftid = xxx.xxx.xxx.xxx
ikelifetime = 28800s
lifetime = 3600s
ike = 3des-sha1-modp1024!
esp = 3des-sha1!
leftauth = psk
rightauth = psk
aggressive = no
conn con2000
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = xxx.xxx.xxx.xxx
right = xxx.xxx.xxx.xxx
leftid = fqdn:pfsense.somehost.com
ikelifetime = 28800s
lifetime = 28800s
ike = 3des-sha256-modp1536!
esp = 3des-sha256-modp1536!
leftauth = psk
rightauth = psk
rightid = xxx.xxx.xxx.xxx
rightsubnet = 10.0.40.0/24
leftsubnet = xxx.xxx.xxx.xxx/24
conn con3000
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = xxx.xxx.xxx.xxx
right = domainname.com
leftid = xxx.xxx.xxx.xxx
ikelifetime = 28800s
lifetime = 28800s
ike = 3des-sha1-modp1024!
esp = 3des-sha1-modp1024!
leftauth = psk
rightauth = psk
rightid = xxx.xxx.xxx.xxx
aggressive = no
rightsubnet = xxx.xxx.xxx.xxx/24
leftsubnet = xxx.xxx.xxx.xxx/24
conn con4000
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = xxx.xxx.xxx.xxx
right = xxx.xxx.xxx.xxx
leftid = fqdn:pfsense.somehost.com
ikelifetime = 28800s
lifetime = 28800s
ike = 3des-sha256-modp1024!
esp = 3des-sha256-modp1024!
leftauth = psk
rightauth = psk
rightid = xxx.xxx.xxx.xxx
rightsubnet = xxx.xxx.xxx.xxx/24
leftsubnet = xxx.xxx.xxx.xxx/24
@krolingo The problem occurs because we can have connections without phase2, just like your con-mobile:
conn con-mobile
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = yes
mobike = no
I just add a validation on rightsubnet_tmp to avoid script broken when this sittuation happen.
Can you update your zabbix-ipsec.py and check again please?
PS: I just format your post with ipsec.conf. Please, on nexts commends, do that yourself. I spend a lot of time search for an error that was generated by END characters on wrong places.
It works now. Thank you!