QRadar: Troubleshooting tunnel issues

Troubleshooting

Problem

This article discusses encrypted managed host connections "tunnels" and common troubleshooting tips.

Symptom

There are several possible symptoms that can point to a tunnel issue:

Issuing a Deploy Changes or a Full Deploy from the Console can time out on a Managed Host.
A managed host shows in an Unknown status in the Console.
Searches performed in the Console might fail with error " An IO error occurred on server(s) hostname. Please try again."
One of the following errors can be seen in the qradar.log:

Setup process setuptunnel.host_114tunneleventstream has failed to start for 22 intervals. Continuing to try to start...
127.0.0.1 [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager: [ERROR] [NOT:0150114103][192.0.2.10/- -] [-/- -]Setup process setuptunnel.host_104tunnelrdate has failed to start for 276 intervals. Continuing to try to start.. [QRadar] [3330] qflow0: [WARNING] Lost connection to 192.0.2.10:32010

Cause

Here are several possible causes for a down tunnel:

SSH connectivity issues: QRadar: Checking SSH connectivity to ensure a connection can be formed
SSH connectivity validation: QRadar: Validating SSH from the Console to a managed host is connecting
Troubleshooting SSH connections: QRadar: Troubleshooting SSH when connections cannot be established
Bandwidth issues between the Console and Managed host that could cause the tunnel to time out or fail at times: QRadar: Replication bandwidth requirements and verifying speed between console and managed host
Version differences between the Console and the Managed Host: QRadar: All hosts in your deployment must be at the same version

Environment

About encrypted connections 'tunnels' in QRadar

All the ports that are used by the QRadar Console to communicate with managed hosts can be encrypted in tunnels. Tunneled connections between the Console and managed hosts are done over SSH, on TCP port 22. QRadar allows administrators to use both encrypted and unencrypted connections for a managed host that is connected to the Console. The settings to encrypt communication between a Console and managed hosts are found on the Admin tab > System and License Management > Deployment Actions > Edit Managed Host > Encrypt Host Connections menu option. As managed hosts are added or edited in QRadar in the Deployment Options, Administrators can choose the option to encrypt the connection based on the location of the appliance.

image-20190911105727-2

For security reasons, you cannot set up an SSH tunnel from the managed host to the Console, but you can set up an SSH tunnel from the Console to the managed host. The managed host's public key is not added to the Console's authorized keys file. These SSH sessions are initiated from the Console to provide data to the managed host. For example, the QRadar Console can initiate multiple SSH sessions to the Event Processor Appliances for secure communication. This communication can include tunneled ports over SSH, such as HTTPS data for port 443 and Ariel query data for port 32006. QRadar QFlow Collectors that use encryption can initiate SSH sessions to Flow Processor appliances that require data.

Using Tunnels adds extra layers to QRadar and can impact performance. If you are on a closed network, tunnels might not be the best solution. To improve performance, you might need to also enable Encryption compression. If you require encryption and the tunnel fails to add, look at the following suggestions to determine whether you see similar error messages or issues with SSH.

NOTE: Administrators are not able to SSH between managed hosts. SSH sessions must originate from the Console, or a root password is required when you SSH from the managed host to the Console. SSH from the Console and not a managed host is intentional, and IP tables are configured in QRadar to prevent users from moving between managed hosts freely as part of our security protocols. One exception is that you can SSH from a QFlow to a Flow Processor. The flow creates the tunnel to a Flow Processor so that it can communicate with it.

Diagnosing The Problem

Other Troubleshooting steps for QRadar 7.3.x versions

To locate issues with these services, type from the Console the command:

systemctl list-units --type=service | grep tunnel

All services show as active and the output similar to:

When a tunnel is not started, it is listed as failed:

tunnel@tunnel2.service loaded failed failed QRadar Tunnel tunnel

Other troubleshooting from System and License Management verifies that the host is not in an unknown state.

Check to make sure that the Host is online or there is not a network issue.

Resolving The Problem

Restarting tunnels

From the example used in diagnosing the issue, the tunnel failed was tunnel@tunnel2.service. Restart the tunnel service by using the command:
```
systemctl restart tunnel@tunnel2.service
```
If not resolved, collect logs from the Console and the managed host with a failed tunnel. To collect logs, see Getting Help: What information should be submitted with a QRadar service request?
Open a case with IBM QRadar support
For more information on troubleshooting SSH connections, see QRadar: Troubleshooting SSH connections and tunnels issues

Related Information

QRadar: Troubleshooting SSH connections and tunnels issues

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Encryption","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips