(2021) Can't cURL 9200 from some hosts in network

brett.b · January 6, 2021, 9:57pm

Hello everyone,
I have seen this question posted in other ways, but a lot of them were about Elasticsearch inside of a docker container. I hope this question is not truly a duplicate.

My situation is that I have a DMZ and a core DC. In the core DC, I can curl my client node and get the appropriate cluster overview. From my DMZ node, I have opened up port 9200 TCP traffic. The Logstash node in the DMZ ends up connecting but receiving the "connection reset by peer"

I have followed some other forums where others suggested updating the network.host and I have since set mine to network.host: _site_.

Does anyone have any debugging suggestions?

Thank you for your time!

warkolm · January 6, 2021, 9:59pm

Welcome to our community!
Please don't post pictures of text, they are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them

However looking at what I can see I would ask if there is a proxy or firewall in use at all?

brett.b · January 6, 2021, 10:11pm

Hey there,
I'm sorry - my VMWare console won't let me copy text out of it.

Yes, there is a firewall between the DMZ (logstash) and Core (elasticsearch). I was assuming that the connection was established with the elasticsearch client, but do you think that may not be the case?

warkolm · January 6, 2021, 10:13pm

Well a peer reset could be many things, but from my experience it's usually those that cause it.

Can you check your Elasticsearch logs, and try a curl from one of the Elasticsearch nodes to itself?

brett.b · January 6, 2021, 10:15pm

Okay, I am not too familiar with the peer resets.

From any of the nodes inside the Core network (master, client, data), they can all query any node in the cluster on port 9200 successfully. At first, they couldn't, so I updated my network.host info and now they can. That's what led me to believe there was maybe some other simple flag I was missing that may be thwarting this communication. I will gather the ES client logs now

warkolm · January 6, 2021, 10:15pm

Ok, then I would try disabling the firewall and seeing that works?

brett.b · January 6, 2021, 10:17pm

I will work with my team to see if that's possible. Thanks for this recommendation (and your lightning-fast responses). To your knowledge, there aren't any other minor flags I may be overlooking?

warkolm · January 18, 2021, 8:42pm

Not that I can think of.
If it works on the cluster level, but not from external, that'd suggest it's nothing to do with Elasticsearch.

brett.b · January 18, 2021, 8:42pm

Hello all -
For anyone reading this, my issue was unfortunately firewall, as suggested by warkolm. I'd opened up the correct port (9200) for communication from my DMZ -> core, but additionally the Palo Alto firewall needed to allow the "type" of traffic, which was considered to be "Web Application".

Thanks again, warkolm for bearing with me.