IBM Support

QRadar: Maxmind GeoIP update script failed to download the database

Troubleshooting


Problem

When executing /opt/qradar/bin/geodata_update.sh script, to update the Maxmind GeoIP Database in QRadar SIEM, the following error is observed:
Executing geoipupdate tool 
error retrieving updates: error retrieving filename for GeoLite2-City: error per forming HTTP request: Get "https://updates.maxmind.com/app/update_getfilename?product_id=GeoLite2-City": proxyconnect tcp: read tcp xx.x.x.xx:xxxxx->xxx.xx.xx.xx:80: read: connection reset by peer 
ERROR: geoipupdate tool failed to download the GeoLite2-City database

Cause

There are 2 possible solutions for the error message "geoipupdate tool failed to download the GeoLite2-City database":
  • Proxy Server Allow List
  • Proxy Server settings in the /opt/qradar/conf/GeoIP.conf file

Resolving The Problem

Proxy Server Allow List
  1. Contact the Network Team or the Team responsible for the Proxy Server and request the following 2 URL Addresses are added to the Proxy Allow List: 
    updates.maxmind.com
download.maxmind.com
  2. Once these Addresses have been added to the Proxy Allow List, run the geodata_update.sh script to confirm if issue is resolved: 
    /opt/qradar/bin/geodata_update.sh
  3. Proxy Server settings in the /opt/qradar/conf/GeoIP.conf file. Verify in the QRadar UI the Use Proxy Settings Defined in Auto Update setting. Log in to the QRadar UI with an Administrative Account.
  4. Click on Admin, then click System Settings.
  5. Click on Geographic Settings.
  6. Verify the setting for Use Proxy Settings Defined in Auto Update.
    GeoSettings
  7. If the setting is True, confirm the Proxy Settings are correct in the Auto Update application.  Click on Admin, then click Auto Update.
  8. Click on Change Settings, Advanced.
  9. Verify the Proxy Settings are correct.
    AUProxy
  10. Then compare them to the information that is supplied in the /opt/qradar/conf/GeoIP.conf file. You might find that the Proxy information is entered twice: 
    # AutoUpdate Proxy Settings
ProxyUserName admin
ProxyPassword xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# AutoUpdate Proxy Settings
Proxy https://x.xx.xxx.xx:8080
ProxyUserName admin
ProxyPassword xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    When you run the /opt/qradar/bin/geodata_update.sh script the following message is returned: 
    Executing geoipupdate tool
ERROR: geoipupdate tool failed to download the GeoLite2-City database: error loading configuration file /opt/qradar/conf/GeoIP.conf: `ProxyUserName' is in the config multiple times
    To resolve this issue the /opt/qradar/conf/GeoIP.conf file is required to be manually updated and one of the Proxy Setting information should be removed. Edit the /opt/qradar/conf/GeoIP.conf file.
    From: 
    # Defaults to "5m" (5 minutes).
# RetryFor 5m
# AutoUpdate Proxy Settings
ProxyUserName admin
ProxyPassword xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# AutoUpdate Proxy Settings
Proxy https://x.xx.xxx.xx:8080
ProxyUserName admin
ProxyPassword xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    To: 
    # Defaults to "5m" (5 minutes).
# RetryFor 5m
# AutoUpdate Proxy Settings
Proxy https://x.xx.xxx.xx:8080
ProxyUserName admin
ProxyPassword xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Note: Verify in the /opt/qradar/conf/GeoIP.conf file that the correct Proxy information has been configured. 
    cat /opt/qradar/conf/GeoIP.conf

    The end of the file will look similar to the following. 
    # The amount of time to retry for when errors during HTTP transactions are
# encountered. It can be specified as a (possibly fractional) decimal number
# followed by a unit suffix. Valid time units are "ns", "us" (or "µs"), "ms",
# "s", "m", "h".
# Defaults to "5m" (5 minutes).
# RetryFor 5m
Proxy https://x.xx.xxx.xx:8080
    Note: Sometimes the GeoIPUpdate command has issues connecting with the https Protocol, so changing the Protocol from https to http establishes a successful connection. To change the Protocol edit the file /opt/qradar/conf/GeoIP.conf and change the Proxy Address.
    From: 
    Proxy https://x.xx.xxx.xx:8080
    To: 
    Proxy http://x.xx.xxx.xx:8080
    Now the file looks like the following: 
    # The amount of time to retry for when errors during HTTP transactions are
# encountered. It can be specified as a (possibly fractional) decimal number
# followed by a unit suffix. Valid time units are "ns", "us" (or "µs"), "ms",
# "s", "m", "h".
# Defaults to "5m" (5 minutes).
# RetryFor 5m
# AutoUpdate Proxy Settings
Proxy http://x.xx.xxx.xx:8080
ProxyUserName admin
ProxyPassword xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  11. Confirm the information is correct, then run the geodata_update.sh script to confirm if issue is resolved 
    /opt/qradar/bin/geodata_update.sh

Related Information

QRadar: Support Geodata FAQ

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS013645864","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
22 May 2024

UID

ibm17151137

Page Feedback