NetXMS Support Forum

Hello,

Since upgrading to recent versions of NetXMS, I no longer receive "SYS_NODE_DOWN" events when a device goes offline. Instead, I always receive "SYS_NODE_UNREACHABLE" events—even when the affected node is simply powered off and there are no other network devices between the NetXMS server and the node.

Previously, "SYS_NODE_DOWN" would be triggered in these cases, but now it seems NetXMS always classifies the situation as "UNREACHABLE," regardless of the actual network topology or the absence of intermediate devices.

Has anyone experienced this behavior? Are there specific configuration parameters or changes in recent versions that could explain this shift? Any advice on how to restore the previous event behavior would be appreciated.

Thank you!

There is my agent config, ping/ssh subagents and enableProxy/enableSNMPProxy were already on:

LogFile={stdout} # or file name, might want to mount a volume for this
DebugLevel=0 # 0-9
MasterServers=0.0.0.0/0 #list of NetXMS servers with full access
#ControlServers=... # list of NetXMS servers with read+execute actions access
#Servers=... # list of NetXMS servers with read-only access
SubAgent = linux.nsm
SubAgent = ecs.nsm
SubAgent = filemgr.nsm
SubAgent = ping.nsm
SubAgent = logwatch.nsm
SubAgent = mqtt.nsm
SubAgent = netsvc.nsm
SubAgent = portcheck.nsm
SubAgent = ssh.nsm
SubAgent = mqtt.nsm
#SubAgent = winperf.nsm
#SubAgent = wmi.nsm
#SubAgent = ups.nsm

EnableProxy = yes
EnableSNMPProxy = yes
EnableSNMPTrapProxy = yes
EnableSyslogProxy = yes
EnableTCPProxy = yes
You're right, I didn't need the 161 NAT rule, I've dropped it. 

But still, I've tried both things:
  - creating an icmp.ping metric to a node that container can actually ping => the metric status is in ERROR state
  - adding manually a node, put it in the zone, then defining my mikrotik container agent node as a proxy for ICMP and SNMP => in the status poll logs I can see "Starting ICMP ping via proxy", followed by "Node is still unreachable"

Ok thanks, but besides the possibility to monitor unreachable private subnets, is there some other benefit using zoning, like performance?
For example, if I monitor 100 nodes directly from the server in the default zone vs using zoning and a proxy node, will this offload the server (cpu,mem..), or will it be the same? 

Hi,

I'm trying to use the Mikrotik agent using containers using theses instructions: https://github.com/alkk/netxms-agent-mikrotik

I've managed to run the container by building the docker image manually (my mikrotik RB1100Hx4 were arm and not arm64), and I've setup DNAT for redirecting ports tcp 4700 and udp 161 from NetXMS server to the container.   Mikrotik IP address is 10.1.99.1/24 on management interface, 172.17.0.1/24 on container bridge, and container ip is 172.17.0.2/24. I want to use agent as remote proxy node for monitoring of 10.1.99.0/24 nodes behind the mikrotik router (container can ping these devices).

Agent is seen in NetXMS and snmp is working, but I cannot use it as a proxy agent. I've tried to create a new zone, placed the mikrotik agent node in it, and define it as the proxy node for this zone. Then I've added the 10.1.99.0/24 subnet in active discovery settings, select the new zone and define my mikrotik agent as proxy node, but the scan doesn't discover any devices.

Am I doing something wrong? 

Thanks for your quick reply, I will continue to test mikrotik agent container as proxy, as both proposed solution needs a physical onsite operation. I'll make a separate post for that.

For now I don't need to manage customers in private networks, but only network devices in 10.1.X.X subnets. So if I understand, in this case I don't need zoning and should leave all my devices in the same "default" zone, and only use folders(containers) to separate nodes?

Or could I use one zone per site (my current config), but without using a proxy node until I find a solution to enable proxy on each site? Because without proxy node enabled on zones, I can't even poll my 10.1.X.X devices (snmp unreachable errors), and there is lot of duplicates nodes coming up.

Hi,

I'm new to NetXMS and I'm try to monitor ~20-30 remote sites with network devices (router, switches, access points) mainly from Mikrotik and Unifi (with SNMP enabled).

Each site is connected to Internet and linked to an OpenVPN server for monitoring and remote config. On each site there's a management network with a unique 10.1.X.0/24 subnet, containing networking devices. Users (wired or wireless) are placed in a VLAN using the same private subnet (172.16.0.0/22) on each site. I've attached a schema. 

In NetXMS I've created a container (in infrastructure tab) and a zone for each remote site. Then I add each 10.1.X.0/24 subnet in the network discovery settings (passive + active). Discovery works only if I don't specify a zone for the subnet, but doing so all the devices show up in the same Default zone. So I wrote a nxshell script to move all my device in the right zone after discovery ended.

It works, but I see lots of duplicates devices showing up constantly in netxms (I've already setup the server parameter to merge duplicates and restarted netxms), and I can't do some polls like full configuration polls after a device have been placed in a zone.

In the documentation, it seems like the right way to use zoning is by defining a proxy node in each zone, but in my case I cannot use the mikrotik routers as proxy nodes, because I cannot install the netxms agent on it. I've tried using containers, but it requires a physical opertion on each site, so its not an option right now.

What is the correct configuration to have all of my remote sites in netxms with zoning (or other solution)?

Thanks

Thanks for your quick reply, I'll do that!

I finally find the working command: I had to add the "--ntlm" flag at the end of the command line.


curl -v --ssl-reqd  --url 'smtp://pro1.mail.ovh.net:587' --user '[email protected]:password' --mail-from '[email protected]' --mail-rcpt '[email protected]' --upload-file mail.txt --ntlm

What would be the netxms setup then?

Hi,

It doesn't work. I tried with two different accounts to be sure the password was not involved. I had sensu on the same machine and I can send email with the same smtp account and credentials. Here's the command output:

* Connected to pro1.mail.ovh.net (79.137.0.66) port 587 (#0)
< 220 pro1.mail.ovh.net Microsoft ESMTP MAIL Service ready at Wed, 11 Oct 2023 10:26:50 +0200
> EHLO mail.txt
< 250-pro1.mail.ovh.net Hello [176.191.46.127]
< 250-SIZE 104857600
< 250-PIPELINING
< 250-DSN
< 250-ENHANCEDSTATUSCODES
< 250-STARTTLS
< 250-AUTH GSSAPI NTLM
< 250-8BITMIME
< 250-BINARYMIME
< 250 CHUNKING
> STARTTLS
< 220 2.0.0 SMTP server ready
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3433 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [657 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [138 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* Server certificate:
*  subject: CN=pro1.mail.ovh.net
*  start date: Jun  7 00:00:00 2023 GMT
*  expire date: Jun  6 23:59:59 2024 GMT
*  subjectAltName: host "pro1.mail.ovh.net" matched cert's "pro1.mail.ovh.net"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> EHLO mail.txt
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 250-pro1.mail.ovh.net Hello [176.191.46.127]
< 250-SIZE 104857600
< 250-PIPELINING
< 250-DSN
< 250-ENHANCEDSTATUSCODES
< 250-AUTH GSSAPI NTLM LOGIN
< 250-8BITMIME
< 250-BINARYMIME
< 250 CHUNKING
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> AUTH GSSAPI
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 334 GSSAPI supported
* gss_init_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000).
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Unknown (21):
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (94) An authentication function returned an error

I don't understand because I pass the --user '[email protected]:mypassword'. I even tried to remove the password from the command line, so curl prompt for it, but I have the same error message then...

Hi, 


I'm new to NetXMS, and I was trying to setup some notifications channels: it works well for Slack, but I struggle with SMTP which is always in error (ends up with status "Failure"  and error message "Driver error").

I've set the ncd.smtp debug level to 6, and I can see the following messages:
Sending mail with url="smtp://pro1.mail.ovh.net:587", to="[email protected]", subject="test", login="[email protected]"
2023.10.09 12:15:18.234 *D* [ncd.smtp           ] Call to curl_easy_perform("smtp://pro1.mail.ovh.net:587") failed (56: Failure when receiving data from the peer)

There is my SMTP notification channel configuration:

[email protected]
FromName=NetXMS
IsHTML=no
[email protected]
Password=my_smtp_password
Port=587
Server=pro1.mail.ovh.net
TLSMode=STARTTLS
My mail provider (OVH) needs a secure SMTP connection on port 587 with STARTTLS and authentication is required using my email/password.
There is the ';' caracter at the end of my password, so I thought the problem might be here, but even when I encode the password with the "nxencpassd" utility, SMTP notification are still in error.

How could I solve this issue?

Thanks