Troubleshooting
Problem
Symptom
Cause
- Managed host with slow bandwidth link to the Console, causing a certificate mismatch.
- Removed managed host from the deployment with remnants of the console configuration in /opt/qradar/conf/nva.conf.
- Detached managed hosts running 7.4.2 and older.
Diagnosing The Problem
The following steps can help the administrator determine why the host believes it is still part of the deployment:
Managed host with slow bandwidth link to the Console causing certificate mismatch
Slow network connections or certificate issues can prevent hosts from communicating as expected. A network timeout or certificate issue can lead to a pre-test version check failed error message when the host attempts to resolve the Console version.
- Open an SSH session to the affected managed host.
- Verify the bandwidth between the Console and the Managed Host. For steps to do so, see: QRadar: Replication bandwidth requirements and verifying speed between console and managed host.
- Verify there is no certificate mismatch:
grep test_tomcat_connection /var/log/qradar.log
[test_tomcat_connection] [main] com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR][-/- -]The Apache certificates on the managed host do not match the certificates on the Console. Tomcat connection test failed.
Removed managed host from the deployment with remnants of the Console configuration
When the IP address of the Console does not match the location the managed host is attempting to connect to, a version check error is displayed during the pre-test. The detached managed host believes it is still in the deployment, but the Console no longer uses the defined IP address.
- Open an SSH session to the affected managed host.
- Verify the CONSOLE_PRIVATE_IP setting has the Console's IP address with the following command:
grep CONSOLE_PRIVATE_IP /opt/qradar/conf/nva.conf
CONSOLE_PRIVATE_IP=10.10.10.10
- Open an SSH session to the affected managed host.
- Verify the version running on the affected host with the su command:
[root@qradar ~]# su This server was upgraded to QRadar 7.4.1 Fix Pack 2 (Build 20220829221022) on Thu Oct 6 20:54:42 CST 2022.
Resolving The Problem
By stopping the hostcontext service, you can prevent the host from waiting on a version response from the Console to pass the pre-test and start the software update on the detached managed host.
Procedure
Use the following two commands to stop hostcontext and prevent the service from starting during the upgrade pre-test. It is important administrators remove the stop file after you run the installer and the upgrade completes.
- Open an SSH session to the affected managed host.
- Run the following commands on the affected host to stop the hostcontext service:
systemctl stop hostcontext
- Run the following command to add a flag to hostcontext to prevent it from restarting:
touch /opt/qradar/conf/hostcontext.STOP
- Run the installer.
/media/updates/installer
The upgrade passes the pre-test phase, the upgrade installs, then reboots. After the upgrade completes, hostcontext is unlikely to start due to the hostcontext.STOP file. You must remove the stop file and start the hostcontext service to complete this procedure.rm /opt/qradar/conf/hostcontext.STOP systemctl start hostcontext
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
31 October 2022
UID
ibm16826767