Security

Getting an issue where Splunk hosts can't reach the License Master

yspade5
New Member

Getting this error from all my Splunk hosts after adding SSL settings in web.conf: LMTracker - failed to send rows reason='Unable to connect to license master"

0 Karma

sagaraverma
Loves-to-Learn Everything

We faced similar error.
Problem was with port access which somehow got inaccessible.

Make sure to test below at the very first -
From any source to License Manager

telnet

0 Karma

yspade5
New Member

I was able to resolve this issue. I changed the settings on the LM. The SSL certificate used was set incorrectly for the "SSLCARootPath" on server.conf because I had removed a custom app that was setting one common SSLCARootPath. When Splunk restarted, it had used the server.conf in system/local that was set to an old SSL cert.

0 Karma

woodcock
Esteemed Legend

Come back and click Accept on your answer to close out your question.

0 Karma

vnguyen46
Contributor

I don't see "accept" button on this thread and it wasn't my case which my OS admin set restriction on the license master. The connection went well after adding the indexer to the LM server. I don't how they did that.

Thanks,

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi there,

this was meant to be for @yspade5 who posted it was resolved 😉

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi yspade5,

There are some troubleshooting option, I will just list a few of them.

On the license master:
- check if Splunk is running
- check the file $SPLUNK_HOME/var/log/splunk/splunkd.log for any SSL related errors
- verify in web.conf the option mgmtHostPort = <IP address:port> is NOT set to a port other than 8089

On one of the license slaves
- verify from that you can connect to the license master on port 8089 over https (using curl for example)

Also check if there were any changes in your network just before the error started to happen.

Hope this helps ...

cheers, MuS

0 Karma

vnguyen46
Contributor

Would you please share details on which .crt or key files that need to be shared among the Splunk instances to get connected to the license master?
I am adding new Indexers to the cluster master but not able to connect to the existing license master. All network connections are just fine, so I suspect the cert/key share.

Thanks,

0 Karma

yspade5
New Member

Thanks all for the tips.
I was able to resolve this issue, which as due to the incorrect SSL certificate used by server.conf for the SSLCARootPath, which was different from the other Splunk hosts: Indexers, SHs, HFs
Occurred because I had removed a custom app that had the correct server.conf for the SSL cert.

0 Karma

nickhills
Ultra Champion

Your question is not quite clear - on which host did you change the SSL settings - on the LM or the Indexers?

If my comment helps, please give it a thumbs up!
0 Karma

woodcock
Esteemed Legend

What exactly does adding SSL settings in web.conf mean exactly?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...