Zabbix agent - psk encryption issues with D-Link DGS-1210-16

fireburner · March 3, 2026, 7:25pm

Is anyone using the Zabbix agent on their realtek switch?

I have it on all my OpenWrt devices including my two realtek switches (D-Link DGS-1210-16 & Zyxel XGS1250-12 A1). Also I am using psk encryption on all devices without issues, except for the D-Link switch. Without psk, monitoring works just fine. As soon as I enable psk, it fails and I see

old text

daemon.warn: zabbix_agentd[2279]: failed to accept an incoming connection: from 192.168.11.29: TLS connections are not allowed
in the system log.

With 24.10.x it sometimes started working after a while and then would fail again a few days later.
With 25.12-rcx I was not yet able to get it to work.

I would assume that both devices use the exact package (zabbix-agentd-openssl), so the package likely is not the problem, but rather something on the D-Link seems to not work as expected by the Zabbix agent.

Woud anyone have any idea to further narrow this down and get more insights?

edit
Zabbix states:
Get value from agent failed: TCP successful, cannot establish TLS to [[192.168.11.10]:10050]: zbx_tls_connect(): gnutls_handshake() failed: -110 The TLS connection was non-properly terminated.

edit new:
my bad,
I mixed sth up:

after I had issues in 24.10.x with zabbix agent via psk, I had for some reason disabled the config in addition to disabling psk on Zabbix end.
This explains the above error messages.
just enabled the config again in the current 25.12-rc5 and now I can see the same error in the logs I had in 24.10.x:
daemon.warn: zabbix_agentd[5832]: failed to accept an incoming connection: from 192.168.11.29: TLS handshake set result code to 6:: TLS read warning alert "close notify"

on Zabbix end I see the following error instead: Get value from agent failed: TCP successful, cannot establish TLS to [[192.168.11.10]:10050]: timed out

cshoredaniel · March 3, 2026, 10:13pm

Do you have anything else that does incoming TLS connections using OpenSSL to the D-Link? i.e. is it a general OpenSSL issue on that switch?

cshoredaniel · March 3, 2026, 10:15pm

Also, did you install both Zabbix packages at the same time? In the past couple of months there has been, on 24.10.x, an upgrade to 7.0.21 .

fireburner · March 3, 2026, 11:51pm

I have no other ssl services running (other than luci’s https)
Package wise, both switchs have the same extra packages (only theme, zabbix and kmod-sfp)
On the 24.10 releases it was working and failing on the same version, so the version updates did not cause a change.
If you have an idea how to test that (i.e. what service could use to test ssl in general)

_bernd · March 4, 2026, 12:02am

Is the CPU even fast enough for such a task

cshoredaniel · March 4, 2026, 12:23am

You could try openvpn-openssl maybe? or for a shorter-lived test httping (from your workstation to nginx on the device?). Or znc (IRC bouncer)? These are programs that use OpenSSL in versions available as binaries.

fireburner · March 4, 2026, 12:26am

my bad,
I mixed sth up:

after I had issues in 24.10.x with zabbix agent via psk, I had for some reason disabled the config in addition to disabling psk on Zabbix end.
This explains the above error messages.
just enabled the config again in the current 25.12-rc5 and now I can see the same error in the logs I had in 24.10.x:
daemon.warn: zabbix_agentd[5832]: failed to accept an incoming connection: from 192.168.11.29: TLS handshake set result code to 6:: TLS read warning alert "close notify"

on Zabbix end I see the following error instead: Get value from agent failed: TCP successful, cannot establish TLS to [[192.168.11.10]:10050]: timed out

cshoredaniel · March 4, 2026, 12:28am

Are the certificates present and not expired? Alert 6 suggests some type of certificate issue.

cshoredaniel · March 4, 2026, 12:30am

Maybe permissions (zabbix now runs as a regular user so if your private key is readable by root only, it won't work).

Do you see anything in /var/log/zabbix-agent/zabbix-agentd.log? - I think that is the path.

EDIT: nvm, the default is system logs; I just usually override that.

fireburner · March 4, 2026, 12:50am

psk file has the permissions 644 in both switches, so that should not be the issue.
That psk cert used in Zabbix does not have any expiry and is created via openssl rand -hex 32

Both have this config (different identity of course)

TLSConnect=psk                                                                       
TLSAccept=psk                                                                                
TLSPSKFile=/etc/zabbix_agentd.psk                                                          
TLSPSKIdentity=switch1

That is also the same block I use on my Linux Servers (also with differen t Identitys of course)

I have just checked log and it is between <10% and max 30/40 % CPU load

cshoredaniel · March 4, 2026, 12:56am

What exact CPU in both the Realtek devices? Maybe the D-Link has some issue with the cipher used for PSK?

cshoredaniel · March 4, 2026, 1:00am

How about something that would affect frame size? E.g. software vs hardware VLANs?

fireburner · March 4, 2026, 1:03am

D-Link DGS-1210-16
Realtek RTL8382M

Zyxel XGS1250-12 A1
Realtek RTL9302B

Both have software vlans configured (the same ones)

cshoredaniel · March 4, 2026, 1:04am

What about the output of cat /proc/cpuinfo ?

cshoredaniel · March 4, 2026, 1:08am

I see they are different processor families (rtl838x vs rtl930x) so this could be a CPU issue.

fireburner · March 4, 2026, 1:09am

Column 1	Column 2
system type	Realtek RTL8382M rev C (6275)
machine	D-Link DGS-1210-16
processor	0
cpu model	MIPS 4KEc V7.0
BogoMIPS	498.89
wait instruction	yes
microsecond timers	yes
tlb_entries	32
extra interrupt vector	yes
hardware watchpoint	yes, count: 2, address/irw mask: [0x0fff, 0x0fff]
isa	mips1 mips2 mips32r1 mips32r2
ASEs implemented	mips16
Options implemented	tlb 4kex 4k_cache 32fpr prefetch mcheck ejtag llsc dc_aliases perf_cntr_intr_bit mm_full
shadow register sets	1
kscratch registers	0
package	0
core	0
VCED exceptions	not available
VCEI exceptions	not available

cshoredaniel · March 4, 2026, 1:14am

I know for a while mip32k was failing to complete CI checks for many packages; that seems to have been resolved, so I am thinking it might be worth trying a SNAPSHOT build.

slh · March 4, 2026, 1:15am

mips4k (rtl838x) holds even more surprises.

fireburner · March 4, 2026, 1:16am

cat /proc/cpuinfo on the Zyxel


system type	Realtek RTL9302B rev B (6487)
machine	Zyxel XGS1250-12 A1 Switch
processor	0
cpu model	MIPS 34Kc V5.5
BogoMIPS	531.66
wait instruction	yes
microsecond timers	yes
tlb_entries	32
extra interrupt vector	yes
hardware watchpoint	yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa	mips1 mips2 mips32r1 mips32r2
ASEs implemented	mips16 dsp mt
Options implemented	tlb 4kex 4k_cache 32fpr prefetch mcheck ejtag llsc pindexed_dcache userlocal vint perf_cntr_intr_bit perf mm_full
shadow register sets	1
kscratch registers	0
package	0
core	0
VPE	0
VCED exceptions	not available
VCEI exceptions	not available

processor	1
cpu model	MIPS 34Kc V5.5
BogoMIPS	531.66
wait instruction	yes
microsecond timers	yes
tlb_entries	32
extra interrupt vector	yes
hardware watchpoint	yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa	mips1 mips2 mips32r1 mips32r2
ASEs implemented	mips16 dsp mt
Options implemented	tlb 4kex 4k_cache 32fpr prefetch mcheck ejtag llsc pindexed_dcache userlocal vint perf_cntr_intr_bit perf mm_full
shadow register sets	1
kscratch registers	0
package	0
core	0
VPE	1
VCED exceptions	not available
VCEI exceptions	not available

fireburner · March 4, 2026, 1:17am

Do you believe that fix happened after the 25.12 branch was spun off?

I can try the master snapshot later this week.