QRadar: HA host addition fails with error "Failure to connect to secondary host. Please make sure password is correct"

Troubleshooting

Problem

Unable to create an HA due to inconsistencies in the secondary peer that causes the primary to fail at connecting to it over SSH.

Symptom

After the HA wizard is populated with the correct information and trying to create the HA, the UI reports this error:

The following error can be seen in the /var/log/setup-xxx/qradar_hasetup.log of the primary peer.

[HA Setup (P-M----)] ESC[31m[ERROR] Failed to install ssh key on <Secondary peer IP>

Cause

Possible causes are:

Secondary peer with a password set with too many special characters.
Network inconsistencies such as port 22 is not opened (SSH service not active), filtered by firewalls or iptables.
Secondary peer missing the /root/.ssh/ directory.

Environment

HA Cluster creation

Diagnosing The Problem

Password with too many special characters.
1. From the Console, use SSH to connect to the primary peer.
2. From the primary, use SSH to connect to the secondary peer.
3. When too many special characters exist in the password, the SSH might fail to connect and report:
```
Permission denied (publickey,password)
```

Network blocking the connection.

Log in to the IMM or XCC WebUI and start a Console connection to the secondary peer.
Verify the sshd service is active.
```
systemctl is-active sshd
```

Verify the port 22 is opened and listening.

netstat -napl | grep sshd

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      15871/sshd

Verify the iptables are accepting connections from any source to port 22.

iptables -L -n -v |  grep 22

Right Output:

 3949  237K ACCEPT     tcp  --  *      *  0.0.0.0/0      0.0.0.0/0      state NEW tcp dpt:22

Wrong Output:

 3949  237K ACCEPT     tcp  --  *   *  <Console or other IP>   0.0.0.0/0    state NEW tcp dpt:22

SSH directory missing.
1. Use SSH to connect to the secondary peer.
2. Verify the directory exists with permissions 700 and ownership root.
```
ls -lad /root/.ssh
```

Resolving The Problem

The administrators are advised to read the QRadar HA documentation to familiarize themselves with these deployments before running the steps in this technote. Also see:

HA Overview.

QRadar High Availability Guide.

1 Configure a simpler password and enable passwordless access between the primary and secondary

Use SSH to connect to the primary peer.
Copy the SSH keys to the secondary peer.
```
ssh-copy-id <secondary peer IP>
```
Use SSH connect to the secondary peer.
Temporarily change the password to a simpler one with fewer or nonspecial characters.
Note: This password can be changed later after the HA cluster is created without impact with the same command.
```
passwd root
```
SSH from primary to the secondary peer and confirm it does not ask for a password.
Attempt to create the HA Cluster again.

2 Ensure the sshd service is active and configure iptables to allow connections from any source

SSH to the secondary peer.
Restart the sshd service.
```
systemctl restart sshd
```
Verify the port 22 is opened and listening.
```
netstat -napl | grep sshd
```
Configure a temporary entry in the iptables to allow connections from any source.
Note: This entry can be removed later after the HA cluster is created without impact.
```
echo "-A INPUT -p tcp --dport 22 -j ACCEPT" >> /opt/qradar/conf/iptables.pre
```
Reload the IP Tables service.
```
/opt/qradar/bin/iptables_update.pl
```
Confirm the iptables services are running. If they are not, check QRadar: Troubleshooting iptables issues.
SSH from primary to the secondary peer and confirm it can access. If the SSH cannot be established, check
QRadar: Troubleshooting SSH when connections cannot be established.
Attempt to create the HA Cluster again.

3 Create and configure the SSH directory

SSH to the secondary peer.
Create the missing directory.
```
mkdir -pv /root/.ssh
```
Set the right permissions.
```
chmod 700 /root/.ssh
```
Set the right ownership.
```
chown root:root /root/.ssh
```
Use SSH to connect from primary to the secondary peer and confirm it has access. If the SSH connection cannot be established, check
QRadar: Troubleshooting SSH when connections cannot be established.
Attempt to create the HA Cluster again.

Results

The HA Cluster creation now succeeds.

If the creation still fails, the administrators are advised to raise a support case with IBM® QRadar® Support.

Related Information

QRadar: Troubleshooting SSH when connections cannot be established

QRadar High Availability Guide

QRadar: How to configure a crossover interface

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtXAAQ","label":"High Availability"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips