IBM Support

QRadar EDR: Diagnosing connectivity for agents to the hive

How To


Summary

This technote covers some tools and advice for diagnosing connectivity issues that QRadar EDR (formerly ReaQta) agents might have when they are attempting and failing to connect to QRadar EDR (formerly ReaQta) Hive.

Objective

Each of the following sections covers pinging, checking IP from DNS, bandwidth checking, and traceroute. Using these tools, one can diagnose issues that might prevent an agent from reliably communicating with ReaQta Hive.

Steps

Windows

The following instructions were taken from Windows 10 LTSB and might change based on Windows version. These commands are typically run by using Windows' included cmd or Powershell environments.
  1. Getting your ReaQta Hive hostname or IP address.
    • If you do not know your ReaQta Hive hostname or IP address that your agent is configured to use, contact your ReaQta administrator or open a case with IBM Support.
    • Typically, ReaQta communicates through a nginx server on port 4443, but this port can be configured to different values. 
  2. Querying the DNS to see whether it returns the IP address from your hostname.
    • For most environments, the DNS (depending on level) is able to return the IP address of your ReaQta Hive if provided the hostname.
    • Using CMD, type and execute nslookup <ReaQta hostname> to query the DNS for the IP address of the provided hostname.
    • If successful, it returns an IP address, for example: 192.168.1.2
    • If unsuccessful, it returns *** dnsname.com can't find <reaqtahive>.com: Non-existent domain
    • While not necessarily an issue, if your agent connects to the ReaQta Hive by using the hostname, it might not work if the DNS does not know the matching IP address for the ReaQta Hive.
  3. Pinging your ReaQta Hive hostname to confirm it is reachable and responding
    • Using CMD, type and execute ping <ReaQta hostname> to have your host try contact said hostname.
    • You can also ping by using IP addresses, for example:  ping 192.168.1.2
    • If it is successful, it returns a short-continual list of replies like this:
      image-20220410132827-1
    • If there is an issue pinging the address or IP, it returns: Request timed out.
    • If the request times out, check your hostname or IP is correct. Else you could be not connected to your environment's network.
    • If pinging the IP address works as expected, but pinging the hostname does not, there might be an issue with the DNS hostname resolution or your connection to the DNS.
  4. Test connection stability by using continuous ping attempts
    • If using ping to check connections works most of the time, but you want to for a longer period to test connection stability, you can increase the number of ping-replies by using the -t option
    • This test is performed by adding -t <number> option to the ping command, for example: ping 192.168.1.2 -t 1000, would ping said IP 1000 times.
    • You can specify -t option without a number, and it pings indefinitely.
    • Note the successful replies vs timeouts as a measure of connection stability.
  5. Checking agent host bandwidth
    • ReaQta Hive does not provide bandwidth checking from agents, as the agents use little bandwidth overall.
    • However, if one wants to, they can test their host computer's bandwidth by using tools such as Fast.com or speedtest-cli to confirm they have a sufficiently fast connection.
  6. Using Telnet to check ports are open to ReaQta Hive
    • If required, users can also use Telnet to query ReaQta Hive's ports should they suspect they are using the incorrect port.
    • Telnet needs to be installed on Windows operating systems. To install Telnet, check out the instructions here: Windows 10: Enabling Telnet Client
    • ReaQta Hive communicates by using nginx over a specific port, typically 4443 for SaaS deployments and 443 for On-Prem deployments. This port can be configured or port-forwarded so check whether you are on port 4443 or 443.
    • To attempt a telnet test to ReaQta Hive on a specific port, use CMD and execute telnet <ReaQta hostname> <port> to query the DNS for the IP address of the provided hostname.
    • If successful, you receive an error 400 response, which is expected as ReaQta Hive is rejecting your nonagent request. It might look like this:
      image-20220330131829-2
    • If unsuccessful, you might receive some other response such as "Connect Failed", "Request timed out" or "Connection Refused".
  7. Traceroute for tracking where connections fail
    • If you are unable to ping your ReaQta Hive hostname or IP address, but other addresses on your network seem to reply as expected, traceroute my offer some insight as to why the request is failing.
    • To see the path your connection is taking, type and execute tracert <ReaQta hostname> to have your host try contact said hostname and then print the path it took to communicate.
      image-20220330120841-3
    • If it fails, one of the hops returns: Request timed out.

Linux

The following instructions were taken from Ubuntu 21.10 and might change based on distribution. These commands typically are run by using Ubuntu's in-built bash terminal.
  1. Getting your ReaQta Hive hostname or IP address.
    • If you do not know your ReaQta Hive hostname or IP address that your agent is configured to use, contact your ReaQta administrator or open a case with IBM Support.
    • Typically, ReaQta communicates through a nginx server on port 4443, but this port can be configured to different values. 
  2. Querying the DNS to see whether it returns the IP address from your hostname.
    • For most environments, the DNS (depending on level) is able to return the IP address of your ReaQta Hive if provided the hostname.
    • Using the terminal, type and execute nslookup <ReaQta hostname> to query the DNS for the IP address of the provided hostname.
    • If successful, it returns an IP address, for example: 192.168.1.2
    • If unsuccessful, it returns ** server can't find <ReaQta Hive>: SERVFAIL
    • While not necessarily an issue, if your agent connects to the ReaQta Hive by using the hostname, it might not work if the DNS does not know the matching IP address for this case.
  3. Pinging your ReaQta Hive hostname to confirm it is reachable and responding
    • Using the terminal, type and execute ping <ReaQta hostname> -c 4 to have your host try contact said hostname.
    • You can also ping by using IP addresses, for example: ping 192.168.1.2 -c 4
    • If it is successful, it returns a short-continual list of replies like this:
      image-20220330142630-1
    • If there is an issue pinging the address or IP, it returns: 100% packet loss, and no replies
    • If the request times out, check your hostname or IP is correct. Else you could not be connected to your environment's network.
    • If pinging the IP address works as expected, but pinging the hostname does not, there might be an issue with the DNS' hostname resolution or your connection to the DNS.
  4. Test connection stability by using continuous ping attempts
    • If using ping to check connections works most of the time, but you want to check  for a longer period to test connection stability, you can increase the number of ping-replies by using the -c option
    • This test is performed by altering -c <number> option to the ping command. For example, ping 192.168.1.2 -c 1000 would ping said IP 1000 times.
    • You can omit the -c option without a number, and it pings indefinitely.
    • Note the successful replies vs timeouts as a measure of connection stability.
  5. Checking agent host bandwidth
    • ReaQta Hive does not provide bandwidth checking from agents, as the agents use little bandwidth overall.
    • However, if one wants to, they can test their host computer's bandwidth by using tools such as Fast.com or speedtest-cli to confirm they have a sufficiently fast connection.
    • To install speedtest-cli, you can use your package manager. More instructions are available here: Speedtest® CLI
  6. Using Telnet to check ports are open to ReaQta Hive
    • If required, users can also use Telnet to query ReaQta Hive's ports should they suspect they are using the incorrect port.
    • ReaQta Hive communicates by using nginx over a specific port, typically 4443 for SaaS deployments and 443 for On-Prem deployments. This port can be configured or port-forwarded so check whether you are on port 4443 or 443.
    • To attempt a telnet test to ReaQta Hive on a specific port, using the terminal, type and execute telnet <ReaQta hostname> <port> to query the DNS for the IP address of the provided hostname.
    • If successful, the Hive connects and allows typing. If you type a message, you receive an error 400 response, which is expected as ReaQta Hive is rejecting your nonagent request. It might look like this:
      image-20220401102048-5
    • If unsuccessful, you might receive some other response such as "Connect Failed", "Request timed out" or "Connection Refused"
      image-20220330151020-2
  7. Traceroute for tracking where connections fail
    • If you are unable to ping your ReaQta Hive hostname or IP address, but other addresses on your network seem to reply as expected, traceroute my offer some insight as to why the request is failing.
    • Depending on your Linux distribution, traceroute might not be installed, but can be with the traceroute package by using the distribution's package manager.
    • To see the path your connection is taking, type and execute traceroute <ReaQta hostname> to have your host try contact said hostname and then print the path it took to communicate. image-20220401091323-1
    • If it fails, one of the hops returns: Request timed out.
    • Note: Depending on the path, some routers do not respond to all traceroute information by using UDP or ICMP. These cases appear as * * * responses.

macOS

The following instructions were taken from macOS 12.2.1 Monterey and might change based on macOS version. These commands are typically run by using macOS's included terminal.
  1. Getting your ReaQta Hive hostname or IP address.
    • If you do not know your ReaQta Hive hostname or IP address that your agent is configured to use, contact your ReaQta administrator or open a case with IBM Support.
    • Typically, ReaQta communicates through a nginx server on port 4443, but this port can be configured to different values. 
  2. Querying the DNS to see whether it returns the IP address from your hostname.
    • For most environments, the DNS (depending on level) is able to return the IP address of your ReaQta Hive if provided the hostname.
    • Using the terminal, type and execute nslookup <ReaQta hostname> to query the DNS for the IP address of the provided hostname.
    • If successful, it returns an IP address for example: 192.168.1.2
    • If unsuccessful, it returns the following or similar message: ** server can't find <ReaQta Hive>: SERVFAIL
    • While not necessarily an issue, if your agent connects to the ReaQta Hive by using the hostname, it might not work if the DNS does not know the matching IP address for this case.
  3. Pinging your ReaQta Hive hostname to confirm it is reachable and responding
    • Using the terminal, type and execute ping <ReaQta hostname> -c 4 to have your host try contact said hostname.
    • You can also ping by using IP addresses, for example: ping 192.168.1.2 -c 4
    • If it is successful, it returns a short-continual list of replies like this:
      image-20220401101201-2
    • If there is an issue pinging the address or IP, it returns the following, or a similar message: Request timeout for icmp_seq #
    • If the request times out, check your hostname or IP is correct. Else you could not be connected to your environment's network.
    • If pinging the IP address works as expected, but pinging the hostname does not, there might be an issue with the DNS' hostname resolution or your connection to the DNS.
  4. Test connection stability by using continuous ping attempts
    • If using ping to check connections works most of the time, but you want to check for a longer period to test connection stability, you can increase the number of ping-replies by using the -c option
    • This test is performed by altering -c <number> option to the ping command. For example, ping 192.168.1.2 -c 1000 would ping said IP 1000 times.
    • You can omit the -c option without a number, and it pings indefinitely.
    • Note the successful replies vs timeouts as a measure of connection stability.
  5. Checking agent host bandwidth
    • ReaQta Hive does not provide bandwidth checking from agents, as the agents use little bandwidth overall.
    • However, if one wants to, they can test their host computer's bandwidth by using tools such as Fast.com or speedtest-cli to confirm they have a sufficiently fast connection.
    • To install speedtest-cli, brew tap can be used. More instructions are available here: Speedtest® CLI
  6. Using Telnet to check ports are open to ReaQta Hive
    • If required, users can also use Telnet to query ReaQta Hive's ports should they suspect they are using the incorrect port.
    • ReaQta Hive communicates by using nginx over a specific port, typically 4443 for SaaS deployments and 443 for On-Prem deployments. This port can be configured or port-forwarded so check whether you are on port 4443 or 443.
    • To attempt a telnet test to ReaQta Hive on a specific port, using the terminal, type and execute telnet <ReaQta hostname> <port> to query the DNS for the IP address of the provided hostname.
    • If successful, the Hive connects and allows typing. If you type a message, you receive an error 400 response, which is expected as ReaQta Hive is rejecting your nonagent request. It might look like this:
      image-20220401102518-1
    • If unsuccessful, you might receive some other response such as "Connect Failed", "Request timed out" or "Connection Refused"
      image-20220330151020-2
  7. Traceroute for tracking where connections fail
    • If you are unable to ping your ReaQta Hive hostname or IP address, but other addresses on your network seem to reply as expected, traceroute my offer some insight as to why the request is failing.
    • Depending on your Linux distribution, traceroute might not be installed, but can be with the traceroute package by using the distribution's package manager.
    • To see the path your connection is taking, type and execute traceroute <ReaQta hostname> to have your host try contact said hostname and then print the path it took to communicate. image-20220401102342-6
    • If it fails, one of the hops returns: Request timed out.
    • Note: Depending on the path, some routers do not respond to all traceroute information by using UDP or ICMP. These cases appear as * * * responses.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSUAA2","label":"Agent"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Document Information

Modified date:
18 June 2024

UID

ibm16567497

Page Feedback