IBM Support

QRadar: Error "Failed to determine the patch level of the Console" is displayed when attempting to upgrade a detached managed host

Troubleshooting


Problem

A detached managed host is a QRadar appliance that believes it is still part of the deployment and looks for data from the Console. When an administrator attempts to upgrade a detached managed host to a new version of QRadar®, it can fail when the pre-test attempts to check for the Console version. The purpose of this article is to help the administrator troubleshoot the error preventing the detached managed host from being upgraded.

Symptom

The following is seen in the installation screen, preventing the software from passing the pre-test and being updated:
figure01

Cause

While a slow managed host or a removed managed host is in the upgrade progress, sometimes there are remnants of the console configuration in /opt/qradar/conf/nva.conf. As a result, the managed host thinks it is still in the deployment.
The following are the common causes for this issue to occur:
  • Managed host with slow bandwidth link to the Console, causing a certificate mismatch.
  • Removed managed host from the deployment with remnants of the console configuration in /opt/qradar/conf/nva.conf.
  • Detached managed hosts running 7.4.2 and older.

Diagnosing The Problem

The following steps can help the administrator determine why the host believes it is still part of the deployment:

Managed host with slow bandwidth link to the Console causing certificate mismatch
Slow network connections or certificate issues can prevent hosts from communicating as expected. A network timeout or certificate issue can lead to a pre-test version check failed error message when the host attempts to resolve the Console version.

  1. Open an SSH session to the affected managed host.  
  2. Verify the bandwidth between the Console and the Managed Host. For steps to do so, see: QRadar: Replication bandwidth requirements and verifying speed between console and managed host.
  3. Verify there is no certificate mismatch: 
    grep test_tomcat_connection /var/log/qradar.log
    Output example: 
    [test_tomcat_connection] [main] com.q1labs.hostcontext.backup.core.BackupUtils: 
[ERROR][-/- -]The Apache certificates on the managed host do not match the certificates on the Console. Tomcat connection test failed.

Removed managed host from the deployment with remnants of the Console configuration
When the IP address of the Console does not match the location the managed host is attempting to connect to, a version check error is displayed during the pre-test. The detached managed host believes it is still in the deployment, but the Console no longer uses the defined IP address.

  1. Open an SSH session to the affected managed host.
  2. Verify the CONSOLE_PRIVATE_IP setting has the Console's IP address with the following command: 
    grep CONSOLE_PRIVATE_IP /opt/qradar/conf/nva.conf
    Output example: 
    CONSOLE_PRIVATE_IP=10.10.10.10
Detached managed hosts on QRadar version 7.4.2 and earlier
  1. Open an SSH session to the affected managed host.
  2. Verify the version running on the affected host with the su command: 
    [root@qradar ~]# su
This server was upgraded to QRadar 7.4.1 Fix Pack 2 (Build 20220829221022) on Thu Oct  6 20:54:42 CST 2022.

Resolving The Problem

By stopping the hostcontext service, you can prevent the host from waiting on a version response from the Console to pass the pre-test and start the software update on the detached managed host.

Procedure
Use the following two commands to stop hostcontext and prevent the service from starting during the upgrade pre-test. It is important administrators remove the stop file after you run the installer and the upgrade completes.

  1. Open an SSH session to the affected managed host.  
  2. Run the following commands on the affected host to stop the hostcontext service: 
    systemctl stop hostcontext
  3. Run the following command to add a flag to hostcontext to prevent it from restarting: 
    touch /opt/qradar/conf/hostcontext.STOP
  4. Run the installer. 
    /media/updates/installer
    Result
    The upgrade passes the pre-test phase, the upgrade installs, then reboots. After the upgrade completes, hostcontext is unlikely to start due to the hostcontext.STOP file. You must remove the stop file and start the hostcontext service to complete this procedure.  
    rm /opt/qradar/conf/hostcontext.STOP
systemctl start hostcontext
    If the service fails to start after you remove the stop file or you continue to experience version error messages, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"TS008757236","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
31 October 2022

UID

ibm16826767

Page Feedback