Troubleshooting
Problem
Adding a Data Gateway appliance to QRadar on Cloud (QRoC) can fail when certain conditions are not met. This guide provides troubleshooting techniques that help resolve common issues when your adding a data gateway.
Resolving The Problem
Pre-tests for before you add a Data Gateway appliance
Ensure you meet all the prerequisites.
- Test your Data Gateway connection
- Use SSH to log in to your Data Gateway appliance as the root user.
- Run the following commands to ensure you can reach the Console:
- Test your Data Gateway's connection to the Console:
telnet x.x.x.x 443
x.x.x.x
with the public IP of the QRoC Console provided in onboarding. - Test the Data Gateway's connection to the IBM VPN:
telnet y.y.y.y 443
y.y.y.y
with the IP of the QRoC VPN server provided in onboarding.
- Test your Data Gateway's connection to the Console:
- If you are unable to successfully establish a connection, confirm your public IP is included in the allowlist. For more information, see Allowlisting an IP address.
- Retry the telnet commands to the Console and VPN.
Information: to find your public IP, you can enter the following command:
dig +short FQDN @DNS
- Ensure the Data Gateway appliance can resolve the Console hostname
Some environments do not have access to DNS, which can cause problems when your adding a data gateway.
- Create a token for the Data Gateway appliance by using the following instructions.
- Test the DNS connectivity with the following command.
nc -zv FQDN 443
FQDN
with the console's fully qualified hostname and domain. - If you are unable to resolve the hostname, add the public IP of the console to your hosts file:
echo "x.x.x.x SHORTHOSTNAME FQDN" >> /etc/hosts
x.x.x.x
with the public IP of the Console,SHORTHOSTNAME
with hostname, andFQDN
with the fully qualified hostname with the domain. - After the IP is added to the host file, rerun the procedure to confirm the hostname resolution.
- Testing SSL Certificates
This test ensures there is no proxy or web-catch modifying the certificates. If any proxy server or web cache is modifying the certificate, the host adding process fails.
- Test the SSL by using the following command with
FQDN
replaced with the consoles fully qualified hostname and domain for your deployment:openssl s_client -connect FQDN:443 -showcerts </dev/null | less
Result
Example of a successful response:CONNECTED(00000003) --- Certificate chain 0 s:/C=COUNTRY/ST=STATE/L=CITY/O=COMPANY/CN=*.DOMAIN i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 -----BEGIN CERTIFICATE----- <certificate hash> -----END CERTIFICATE----- 1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA -----BEGIN CERTIFICATE----- <certificate hash> -----END CERTIFICATE----- --- Server certificate subject=/C=COUNTRY/ST=STATE/L=CITY/O=COMPANY/CN=*.DOMAIN issuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3737 bytes and written 415 bytes --- SSL handshake has read 3737 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is AAAAA-AAA-AAA111-AAA-AAA111 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AAAAA-AAA-AAA111-AAA-AAA111 Session-ID: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Session-ID-ctx: Master-Key: <master key> Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: (REDACTED) Start Time: 1665573780 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Example of a failed response:verify error: num=20: unable to get local issuer certiticate
If you receive something other than the correct certificate, ensure your proxy, or web-cache, freely passes the certificate with no modifications. If you are using a proxy, it must be a transparent inline proxy as outlined in the Data Gateway appliance prerequisites.
- Test the SSL by using the following command with
Adding a Data Gateway appliance
When the pre-tests are complete, you can proceed with adding your Data Gateway appliance to QRoC.
- SSH into your QRadar console.
- Start the setup script
/opt/qradar/bin/setup_qradar_host.py mh_setup interactive –p
- When you add a Data Gateway, there is a two-step process. The first step is to download and build the VPN package, the second step is to create the VPN tunnel to the Console. The VPN package is directly tied to the token for your Data Gateway appliance. After this point, the data gateway tries to pull the VPN package. Here you might see an error similar to:
Traceback (most recent call last): File "/opt/qradar/bin/setup_qradar_host.py", line 1896, in checkAndCreatePid() File "/opt/qradar/bin/setup_qradar_host.py", line 1870, in checkAndCreatePid with open("/proc/%d/cmdline" % running_pid, 'r') as pid_cmd_file: FileNotFoundError: [Errno 2] No such file or directory: '/proc/29071/cmdline'
- After the script exits, confirm if the tunnel starts.
Ifconfig tun0
- Verify with the command showing the VPN tunnel interface, which is a virtual interface on your system. If the tunnel is up, you see an output similar to the following:
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 32000 inet 192.168.x.x netmask 255.255.255.0 destination 192.168.x.x inet6 fe80::xxxx:xxxx:xxxx:xxxx prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 100833357 bytes 8674333866 (8.0 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 541169286 bytes 799913312306 (744.9 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ifconfig tun0 Tun0: error fetching interface information: Device not found
Common errors when your adding the Data Gateway
If you receive an error message when you attempt to add a Data Gateway appliance to QRadar on Cloud, select one of the following articles:
TypeError: __init__() should return None, not 'IbmPropertiesFile'
Not all hosts have completed the deployment successfully
- Failed to call VPN client API on host
- Unexpected failure occurred while processing API request
- Token Is Not a Recognized Format
- Tunnel fails and interface does not exist
Note: If you experience an error not listed in this article, see the related URL section for more resources or contact support.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS010893450","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
16 November 2022
UID
ibm16831317