QRadar: Fail to add TAXII Feeds due to error "There is a problem connecting to the TAXII server"

Troubleshooting

Problem

Administrators who try to add TAXII Feeds might face the error, "There is a problem connecting to the TAXII server. Verify that the TAXII server is available. Failed to connect to the server due to SSL problems. This might be caused by an invalid client certificate, an unknown certificate authority, or a problem with the server".

When this error appears, administrators cannot add feeds.

Symptom

In the STIX/TAXII Configuration application, after the administrator try to create a new feed, the following error is displayed:

Cause

The STIX/TAXII URL is not reachable from the QRadar appliance.

Environment

QRadar 7.4.0 and later.

Diagnosing The Problem

Administrators can check the Threat Intelligence application logs to inspect which endpoint URL causes the issue.

Use the recon command to know the Threat Intelligence app-id.

/opt/qradar/support/recon ps

Output Example:
App-ID  Name              Managed Host ID  Workload ID  Service Name  AB  Container Name  CDEGH  Port  IJKL
1005    Threat Intelligence  53               apps         qapp-1005     ++  qapp-1005       +++++  5000  ++++

Run the cd command to access to applications logs. Use the ID obtained in step 2. In this article, the ID is 1005.
```
cd /store/docker/volumes/qapp-<id>/log
```
Output Example:
```
cd /store/docker/volumes/qapp-1005/log
```

Run the grep command and search for the "Failed to get list of collections" error message.

grep -E 'SSLError|Failed to get list of collections' app.log

Output Example:

[com.ibm.ThreatIntelligence] [ERROR] - Failed to get list of collections from https://taxii.fsisac.com/ctixapi/taxii/; 
HTTPSConnectionPool(host='taxii.fsisac.com', port=443): 
Max retries exceeded with url:/ctixapi/taxii/(Caused by SSLError(SSLError("bad handshake:SysCallError(104,'ECONNRESET')",),))

Take note of the URL reported after the "Failed to get list of collections from" message. For example, in this article, the URL is https://taxii.fsisac.com/ctixapi/taxii/.

Resolving The Problem

To resolve the problem, administrators can use the curl command and attempt to connect to the endpoint URL and provide the output to the pertinent networking team to resolve the connectivity issue.

Log in to the QRadar Console command line as the root user.
Take note of the URL reported after the "Failed to get list of collections from" message. Follow the steps in the "Diagnosing the Problem" section. For example, in this article, the URL is https://taxii.fsisac.com/ctixapi/taxii/.
Run the following command to check the connection. Replace the <TAXII Feed Endpoint URL> with the one reported in app.log.
```
curl -v https://<TAXII Feed Endpoint URL>
```
Example:
```
curl -v https://https://taxii.fsisac.com/ctixapi/taxii/

* Could not resolve host: https; Unknown error
* Closing connection 0
curl: (6) Could not resolve host: https; Unknown error
```
Result

If the curl command fails to connect, the administrator must report this issue to the required network team to allow communication from the Console to the TAXII Feed Endpoint URL. If the curl command succeeds, but TAXII feeds still cannot be retrieved, contact QRadar Support for assistance.

Related Information

QRadar: How to use Recon to troubleshoot QRadar applications

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;and future releases"}]

Tips