Still no feed update

POWeber · July 10, 2021, 12:45pm

unfortunately the thread was closed without an answer to my question, so i start again.
In may case there’s:
rsync: [Receiver] failed to connect to FEEDSERVER (45.135.106.142): Connection refused (111)
rsync: [Receiver] failed to connect to FEEDSERVER(2a0e:6b40:20:106:20c:29ff:fe67:cbb5): Network is unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(137) [Receiver=3.2.3]

So - connection refused is the servers answer to the request.

May please someone explain the problem with ipv4 and nat?

Lukas · July 10, 2021, 1:24pm

I can access without any issues, must be your firewall.

 # rsync rsync://45.135.106.142
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarily blocked.

data-objects    Greenbone community data objects, see https://community.greenbone.net/
nvt-feed        Greenbone community NVT feed, see https://community.greenbone.net/
scap-data       Greenbone community SCAP data feed, see https://community.greenbone.net/
cert-data       Greenbone community CERT data feed, see https://community.greenbone.net/

POWeber · July 10, 2021, 4:10pm

sorry, but this does not make sense to me.
Look at this test:

[root@server ~]# rsync -a -P rsync://hgdownload.cse.ucsc.edu/goldenPath/hg38/database/cytoBand.txt.gz ./
receiving incremental file list
cytoBand.txt.gz
11,162 100% 10.64MB/s 0:00:00 (xfr#1, to-chk=0/1)
[root@server ~]# rsync rsync://45.135.106.142
rsync: failed to connect to 45.135.106.142 (45.135.106.142): Connection refused (111)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]

As you can see, i can access a foreign site without problem and do get the file list.

So - doing this on the same computer means that no firewall problem can be, as it would block the first connection also.

And please be aware of many people with the same problem. can this be a coincidence??

POWeber · July 11, 2021, 7:46am

did some more testing.
today i got this as result:

─$ sudo gvm-feed-update
[sudo] password for xxxxxxxxx:
[>] Updating OpenVAS feeds
[] Updating: NVT
[>] Uploading plugins in Redis
[] Updating: GVMD Data
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarily blocked.

receiving incremental file list
timestamp
13 100% 12.70kB/s 0:00:00 (xfr#1, to-chk=0/1)

sent 43 bytes received 115 bytes 105.33 bytes/sec
total size is 13 speedup is 0.08
[*] Updating: Scap Data
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarily blocked.

receiving incremental file list
timestamp
13 100% 12.70kB/s 0:00:00 (xfr#1, to-chk=0/1)

sent 43 bytes received 114 bytes 104.67 bytes/sec
total size is 13 speedup is 0.08
[*] Updating: Cert Data
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]

So this should make clear that there’s no problem with the network or a firewall.

As far as i can see. this seems to be a problem on the remote site…

Lukas · July 11, 2021, 9:49am

It seems your system is not direct connected to the internet, the intermediate device (NAT) is still allocating the session. Please connect your installation direct without NAT/Firewall to the internet or wait unless the session is expired in your network device.

POWeber · July 12, 2021, 3:32am

Thx for responding lukas but i still do not understand the problem.

Why did it work before in older versions and why is NAT a problem?

I have tried to do the update very often yet and it does not work.

A direct connection to the internet is impossible as i need a router (with NAT). Does this mean that only people with a direct connection or IPV6 will be able to use the feed update in future?

This is really frustrating …

Is there any alternate way to get the ffed update, maybe be downloading a zip file?

POWeber · July 12, 2021, 4:39am

i did one more test.
Re-Started all network devices (router / firewall) to make sure, there’s no session.
Started sync.
I can see in my firewall that there’s exactly one session open.
There’s no second one opened and the session is closed soon after the reset.

Also i traced all traffic with 45.135.106.142
It took a long time and even the first action (NVT Update) did not have any more traffic than the session reset. So even if your hint is correct, shouldn’t the first sync work and transfer data?

] Updating OpenVAS feeds
[] Updating: NVT
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]
[>] Uploading plugins in Redis
[] Updating: GVMD Data
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]
[*] Updating: Scap Data
…

I still think that the issue is with some limmiting functions on the remote site.

Please be aware that many users may not have a direct internet connection!

I found one post where soemething “we are blocking some ip’s” was written?
Can it be that you are blocking ip’s from some providers?

This is really not a good situation and maybe i should advice my customers to switch to a different product…

POWeber · July 12, 2021, 4:43am

Lukas · July 12, 2021, 9:12am

No one assigned IP one session, if your provider is sharing legacy space (CGN) request a IPv6 address. There is no shortage or change your provider to get internet. As long one three-way session is established you can´t open a 2nd one. We are not blocking anything on a time base. If this session times out or is closed you can immediately open a 2nd one.

POWeber · July 12, 2021, 9:43am

so i configured my network to be able to use ipv6 - hopefully

can you give me the ipV6 adress of the rsync server so i can try?

as far as i can see, the system is still using ipv4 and i can not disable v4 as i need to check devices that are not v6 enabled.

the system did the NVT update but the error “reset by peer” came back with GVMD and the others …

geoff · July 13, 2021, 9:54pm

Hi,

For as long as I have been using Greenbone Community Edition I have had to insert a “sleep 5” between the two calls to rsync. Without that, the Greenbone server thinks I am trying to make two simultaneous connections, which is not supported by the Community Edition.

I don’t have the code in front of me but if you grep around for “rsync”, you should find the shell script that needs tweaking. There will be two calls to rsync. Just slip a 5 second sleep between them.

Best,

Geoff

POWeber · July 14, 2021, 9:36am

to all that might be interested:

it was a lot of learning, trial and error but i was able to enable my infrastructure for IPv6.
Today i checked form kali by at first pinging ipv6.google.com - with success.
So i started the feed update and the system started to sync a lot of files.

Guess it will take some time until i have a result, as in the past a partial sync was possible with IPv4 also. I will give feedback as soon as i have…

POWeber · July 14, 2021, 9:57am

well, even with IPv6 enabled, the sync is failing.

Do i need to invoke something like ipv6-rsync or how does the system select IPv6 for communication if available???

===================================

pre2008/zyxel_pwd.nasl
3,084 100% 4.24kB/s 0:00:00 (xfr#74903, to-chk=115/76079)

sent 4,559,038 bytes received 11,916,677 bytes 149,101.49 bytes/sec
total size is 355,544,105 speedup is 21.58
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]
[>] Uploading plugins in Redis
[] Updating: GVMD Data
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]
[] Updating: Scap Data
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarily blocked.

receiving incremental file list
timestamp
13 100% 12.70kB/s 0:00:00 (xfr#1, to-chk=0/1)

sent 43 bytes received 115 bytes 35.11 bytes/sec
total size is 13 speedup is 0.08
[*] Updating: Cert Data

POWeber · July 14, 2021, 10:04am

here’s one more test result:

└─$ rsync rsync://[2a0e:6b40:20:106:20c:29ff:fe67:cbb5] 255 ⨯
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]

So even using IPv6 brings up this error …

POWeber · July 14, 2021, 10:43am

as far as i can see, there’s no open session on my firewall (neither 4 nor 6).
But still the simple rsync to ipv6 does not work.

Well if there’s a function on remote system to block a second connection to the feed server - how long is this saved? After what time the system is releasing the lock? Can it be that the lock i not released?

Lukas · July 14, 2021, 7:11pm

This is all documented here:

Closing this topic here.

POWeber · July 16, 2021, 9:12am

well - closing the topic is not really “friendly” but i need to accept this …

POWeber · July 16, 2021, 9:15am

If there’s still others with this problem. I tried only one feed after waiting 24 h with not open session - same result

└─$ sudo runuser -u _gvm – greenbone-feed-sync --type GVMD_DATA 1 ⨯
[sudo] password for xxxxxxx:
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]

Elmar · July 16, 2021, 12:33pm

I guess it was not meant to be unfriendly, just pointing to the solution in the other topic:
Did Back-to-Back Syncs Failing help you?

POWeber · July 16, 2021, 2:47pm

No - unfortunatly it does still not work.

So i put my kali linux vm directly into the network of my router.
there’s no way to get closer to the “internet” as doing it this way.

The router is assigning an ipv4 and an ipv6 adress.

I removed greenbone and openvas, rebooted, reinstalled and run gvm-setup.

Well of course some parts of the database are prepared but here’s what’s happening:

–> SNIP <–
Creating openvas-scanner’s certificate files

[>] Creating database
createuser: error: creation of new role failed: ERROR: role “_gvm” already exists
createdb: error: database creation failed: ERROR: database “gvmd” already exists
ERROR: role “dba” already exists
NOTICE: role “_gvm” is already a member of role “dba”
GRANT ROLE
ERROR: extension “uuid-ossp” already exists
ERROR: extension “pgcrypto” already exists
[>] Migrating database
[>] Checking for admin user
[>] Updating OpenVAS feeds
[*] Updating: NVT
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]
[>] Uploading plugins in Redis

[] Updating: GVMD Data
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]
[] Updating: Scap Data
rsync: [Receiver] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.2.3]
[*] Updating: Cert Data
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarily blocked.

receiving incremental file list
timestamp
13 100% 12.70kB/s 0:00:00 (xfr#1, to-chk=0/1)

sent 43 bytes received 115 bytes 63.20 bytes/sec
total size is 13 speedup is 0.08
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarily blocked.

receiving incremental file list
rsync: [generator] failed to set permissions on “/var/lib/gvm/cert-data/CB-K13.xml”: Operation not permitted (1)
./
rsync: [generator] failed to set permissions on “/var/lib/gvm/cert-data/dfn-cert-2015.xml”: Operation not permitted (1)
rsync: [generator] failed to set permissions on “/var/lib/gvm/cert-data/dfn-cert-2016.xml”: Operation not permitted (1)
rsync: [generator] failed to set permissions on “/var/lib/gvm/cert-data/dfn-cert-2018.xml”: Operation not permitted (1)
CB-K18.xml
4,778,354 100% 94.94MB/s 0:00:00 (xfr#1, to-chk=22/29)
CB-K19.xml
4,143,951 100% 12.55MB/s 0:00:00 (xfr#2, to-chk=21/29)
CB-K20.xml
4,669,573 100% 3.11MB/s 0:00:01 (xfr#3, to-chk=20/29)
CB-K21.xml
2,279,536 100% 822.96kB/s 0:00:02 (xfr#4, to-chk=19/29)
dfn-cert-2017.xml
3,127,720 100% 3.50MB/s 0:00:00 (xfr#5, to-chk=8/29)
dfn-cert-2019.xml
3,549,005 100% 3.82MB/s 0:00:00 (xfr#6, to-chk=6/29)
dfn-cert-2020.xml
3,659,208 100% 3.55MB/s 0:00:00 (xfr#7, to-chk=5/29)
dfn-cert-2021.xml
1,996,101 100% 956.49kB/s 0:00:02 (xfr#8, to-chk=4/29)
sha1sums
1,419 100% 44.70kB/s 0:00:00 (xfr#9, to-chk=3/29)
sha256sums
2,019 100% 59.75kB/s 0:00:00 (xfr#10, to-chk=2/29)
sha256sums.asc
819 100% 23.52kB/s 0:00:00 (xfr#11, to-chk=1/29)
timestamp
13 100% 0.35kB/s 0:00:00 (xfr#12, to-chk=0/29)

sent 88,123 bytes received 2,139,779 bytes 297,053.60 bytes/sec
total size is 77,052,246 speedup is 34.59
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1816) [generator=3.2.3]
[*] Checking Default scanner
08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /var/run/ospd/ospd.sock 0 OpenVAS Default

[+] Done
–> SNIP <–

I don’t know what else i can do to fulfil the needs.

I activated and tested ipv6

I put the machine as near to the internet as possible and still it does not work.

So - guess you are right with nat or timeout - why does it partially sync the data?

I am totaly confused und feeling helpless.

It worked fine for months until i updated to 21.04.