IBM Support

QRadar SOAR: App Host or Edge Gateway: Troubleshooting

Troubleshooting


Problem

Troubleshooting the various components of App Host or Edge Gateway

Environment

Refer to the IBM Security QRadar SOAR Platform Documentation section titled "Install the App Host" to install the App Host.

Resolving The Problem

Once the App Host is installed, and before creating a pairing of the App Host or Edge Gateway, check whether the 3 kube-system pods have a "Running" status. The following example shows the console output where the pods have the "Running" status.
NAMESPACE    NAME                                     READY   STATUS   RESTARTS         AGE
kube-system  local-path-provisioner-687d6d7765-7zpf2  1/1     Running  0                7d8h
kube-system  coredns-7b5bbc6644-8p6h4                 1/1     Running  97 (6h52m ago)   7d8h
kube-system  metrics-server-667586758d-h2wfp          1/1     Running  79 (6h50m ago)   7d8h
If any of the pods display the following statuses shown, take the corresponding action.
If the pod "STATUS" is showing as "ContainerCreating", then check proxy server settings. Refer to the following link.
Adding the App Host IP and SOAR IP to the NO_PROXY environment variable can solve connection issues.
If the pod "STATUS" is showing as "CrashLoopBackOff" and there is no proxy server, then check to see whether the "cni0" interface exists with the following command.
$ netstat -nr
Output when cni0 interface exists:
]$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.x.x    0.0.0.0         UG        0 0          0 eth0
10.42.0.0       0.0.0.0         255.255.255.0   U         0 0          0 cni0
192.168.x.x    0.0.0.0         255.255.255.0   U         0 0          0 eth0
If there is no "cni0" interface then check the Firewall settings to ensure access to docker.io, docker.com and quay.io by using the following curl commands.
$ curl --insecure -vvI https://quay.io 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

$ curl --insecure -vvI https://docker.io 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

$ curl --insecure -vvI https://docker.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
Refer to the following documentation regarding access to required services on the internet.
If all 3 kube-system pods have a status of running and the cni0 interface is still not present, perform the following:
$ sudo k3s ctr images pull -k docker.io/rancher/pause:3.1 --image-pull-policy Always

$ sudo systemctl restart k3s

$ sudo kubectl rollout restart deployments -n kube-system

$ netstat -nr
Additionally, if there is no "cni0" interface created, check whether the App Host server hostname is valid.
Once confirmed that the 3 kube-system display status of "Running", and the cni0 interface exists, proceed to adding and pairing a new App Host or Edge Gateway.
After pairing if the App Host or Edge Gateway is showing unknown version or no CPU % after pairing, try the following steps.
Check to see weather the hostname was changed on App Host or Edge Gateway.
NOTE: The default hostname for an OVA is "apphost.localdomain".
Run the following command to check weather there is more than one node.
$ sudo kubectl top node

If the output returns there are multiple nodes delete the "apphost.localdomain" node or any other node that is NOT the hostname of the App Host or Edge Gateway server.

Example output.
​NAME                         CPU(cores)   CPU%   MEMORY(bytes)   MEMORY%
testlab-res50apphost-00001   230m         11%    1209Mi          31%
testlab-res46apphost-00001   230m         2%     1211Mi          5%
$ sudo kubectl node apphost.localdomain
Refer to the following link on "How do you remove old DNS entries from manageAppHost showconfig".
https://www.ibm.com/support/pages/node/6575517
Application LOGS

Determine the <NameSpace> <Name> for the app container in question.
$ sudo kubectl get pods -A -l apps.isc.ibm.com/app-type=app -L app.kubernetes.io/instance
$ sudo kubectl logs -n <NameSpace> <Name>
Redirect to a file:
$ sudo kubectl logs -n <NameSpace> <Name> >app.log
Tail the log;
$ sudo kubectl logs -fn <NameSpace> <Name>

App Host or Edge Gateway synchronizer container:
Determine the <NameSpace> <Name> for the AppHost synchronizer container in question.
$ sudo kubectl logs -n <NameSpace> <Name>
Redirect to a file;
$ sudo kubectl logs -n <NameSpace> <Name> >synchronizer.log
Tail the log:
$ sudo kubectl logs -fn <NameSpace> <Name>
Applications stuck undeploying:
Instead of uninstalling, choose the upgrade option.
When prompted to choose a file for upgrade, use the same version that is installed (or a newer version if there is one), this undeploys the application and sets the status to Waiting for Configure and Test.
DNS

App Host or Edge Gateway system does not use /etc/hosts for DNS resolution, it utilizes the systems /etc/resolve.conf for DNS. If unable to resolve any host, then add to the App Host or Edge Gateway container(s) DNS settings with the manageAppHost dns --set command.

$ sudo manageAppHost dns –set –ip <IP_Address> –hostname <Hostname>

Example:

$ sudo manageAppHost dns –set –ip 142.251.40.110 –hostname google.com

For CP4S, ensure that the url with cases-stomp and cases-rest can be resolved.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001jTpAAI","label":"Integrations-\u003EAppHost"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
30 December 2023

UID

ibm17063863

Page Feedback