Tenable Nessus Troubleshooting

Tenable Nessus server does not appear to be operational

  1. Verify that the Tenable Nessus scanner Status is Unable to Connect.

  2. SSH to the remote Tenable Nessus host to make sure the underlying operating system is operational.

  3. Confirm that the Tenable Nessus daemon is running (Linux example below):

    # service nessusd status

    nessusd (pid 3853) is running...

  4. If the Tenable Nessus service is not running, start the service:

    # service nessusd start

    Starting Nessus services:

    # ps -ef | grep nessusd

    root      8201  8200 60 11:41 pts/2    00:00:05 nessusd –q

    root      8206  7842  0 11:41 pts/2    00:00:00 grep nessusd

    #

Cannot add a Tenable Nessus server

  1. Make sure the Tenable Nessus daemon was registered using the Tenable Security Center option for registration.

  2. Check connectivity from Tenable Security Center to the port the Tenable Nessus system is running on (e.g., 8834). For example, run:

    curl -k https://<scannerIPaddress>:<port>

Tenable Nessus scans fail to complete

  1. Ensure that the Tenable Nessus service is running on the Tenable Nessus host.

  2. Ensure that Tenable Nessus scanner is listed in Tenable Security Center under Resources > Nessus Scanners and that the status of the Tenable Nessus scanner is listed as Working. For more information, see Tenable Nessus Scanner Statuses.

  3. Click Edit to ensure that the IP address or hostname, port, username, password, and selected repositories for the Tenable Nessus scanner are all correct.

  4. Edit any incorrect entries to their correct state.

  5. Click Submit to attempt to reinitialize the Tenable Nessus scanning interface.

  6. Right click the scan results and click Scan Details to obtain a more detailed description of the error.

    If the scan details indicate a Blocking error, this is indicative of a license IP address count that has reached the limit. Either remove a repository to free up IP addresses or obtain a license for more IP addresses.

  7. Ensure that scan targets are permitted within the configured scan zones.

  8. Ensure the Tenable Nessus scanner is running a supported Tenable Nessus version. For minimum Tenable Nessus scanner version requirements, see the Tenable Security Center Release Notes for your version.

Tenable Nessus plugins fail to update

  1. Click System > Configuration.

    The Configuration page appears.

  2. Click License and ensure that the Tenable Nessus Activation Code is marked as Valid.

  3. Ensure the Tenable Nessus scanner is running a supported Tenable Nessus version. For minimum Tenable Nessus scanner version requirements, see the Tenable Security Center Release Notes for your version.

  4. Ensure that the user used to connect to the Tenable Nessus server is a Tenable Nessus administrator.

  5. Ensure that the Tenable Security Center system is allowed outbound HTTPS connectivity to the Tenable Nessus Plugin Update Site.

  6. Under System, Configuration, and Update in Tenable Security Center, ensure that Active Plugins is not set to Never.

  7. Manually test a plugin update under Plugins with Update Plugins.

    If successful, the line Active Plugins Last Updated updates to the current date and time.

  8. For all other Tenable Nessus plugin update issues, contact Tenable Support.

A plugin did not run during a scan

If a scan result includes a message such as [plugin].nbin was not launched: because none of the required tcp ports are open, this means the target did not have the ports required by that plugin open at the time of the scan. This is expected behavior. Tenable Nessus skips plugins when their prerequisite ports are not detected on the target.

To resolve this:

  1. Verify that the target host is running the service associated with the plugin. For example, if the plugin checks for PostgreSQL, confirm that PostgreSQL is installed and running on the target.

  2. Verify that the required port is open and reachable from the scanner. Firewall rules or network ACLs may be blocking the port even if the service is running.

  3. If you want Tenable Nessus to scan additional ports, review the port range configured in your scan policy.