Troubleshooting
Problem
QRadar upgrades or pretests can fail in environments or the appliance might incorrect trigger rules where dual stack networks are configured. The pretest utility check_iptables_rules.sh fails on appliances configured with dual stack as ip6tables and iptables are disabled due to an incorrect symbolic link. This can also lead to issues where rules are incorrect generated as iptables and ipv6tables symbolic links are broken. This technical note includes a support utility to assist administrators with APAR IJ32638 and APAR IJ32591 to resolve the issue.
Symptom
- A pretest error message as described in APAR IJ32638 might be visible in /var/log/setup-<version>/patches.log when this issue occurs:
[ERROR](-i-testmode) Patching can not continue Patch Report for (ip_address), appliance type: 1699 Patch pretest 'Check for invalid iptables rules' failed. (check_iptables_rules.sh) (hostname) : patch test failed. An error was encountered attempting to process patches. - Administrators who customize iptables or ipv6tables rules can also experience issues where the rules are not applied successfully as described in APAR IJ32591.
Cause
The patch pretest error is displayed when the upgrade cannot confirm iptables is properly configured on appliances that use dual stack networking. This symbolic link error can also cause accept and reject customizations to iptables or ipv6tables to not function as expected until the attached support utility is run.
Environment
This issue affects all appliance versions where dual stack (IPv4 and IPv6) networks are configured on a single appliance.
Resolving The Problem
Before you begin
- Administrators must have root access to appliances that are configured with dual stack (IPv4 and IPv6 network configurations).
- If you unsure if you are experiencing APAR IJ32638 or APAR IJ32591 and require assistance with this utility, contact QRadar Support.
Procedure
The fix_dual_stack_iptables.sh utility resets iptables rules, creates a back up of the configuration files in /root/keep directory and creates a new symbolic link between /bin/true to /opt/qradar/bin/iptables_update.pl. The original ipv6tables and iptables configuration is backed up by the utility to the /root/keep/ directory.
The fix_dual_stack_iptables.sh utility resets iptables rules, creates a back up of the configuration files in /root/keep directory and creates a new symbolic link between /bin/true to /opt/qradar/bin/iptables_update.pl. The original ipv6tables and iptables configuration is backed up by the utility to the /root/keep/ directory.
- Download the utility attached to this technical note: fix_dual_stack_iptables.tgz.
- Use an SCP client to transfer the utility to /storetmp on the Console.
- Log in to the Console as a root user.
- If the issue is not on the Console, use SCP to transfer the utility to /storetmp on the appliance with dual stack networking configured.
- Navigate to the /storetmp directory.
- To extract the utility, run the command:
tar -zxvf fix_dual_stack_iptables.tgz - To set permissions on the file, type:
chmod +x fix_dual_stack_iptables.sh - To run the utility, type:
./fix_dual_stack_iptables.sh - To verify the symbolic link is created, type the following command:
The output displays the symlink between /opt/qradar/bin/iptables_update.pl and /bin/true, then the procedure is complete.ls -l /opt/qradar/bin/iptables_update.pl/opt/qradar/bin/iptables_update.pl -> /bin/true
Results
Administrators confirm iptabes updates or run the installer pretest to confirm the issue is resolved. Optionally, you can review for any custom iptables or ipv6iptables configurations that need to be restored from the configuration files backed up in the /root/keep directory. If you continue to experience iptables or ipv6tables errors on the appliance, contact QRadar Support.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
06 July 2021
UID
ibm16464843