QRadar: Deploy changes times out due to proxy configuration between Console and managed host. Response is empty messages.

Troubleshooting

Problem

Deploy changes and replication can fail if there is a proxy that is configured between the QRadar® Console and managed hosts, which can cause wget requests to fail.

Symptom

Administrators might experience an issue where a deploy changes times out for a managed host. If wget is blocked between appliances, the hostcontext service might report replication messages: Response is empty:

To confirm if the QRadar appliance reports 'Response is empty:' messages, run the following commands:

journalctl -xu hostcontext | grep "Response is empty"

Cause

A proxy configuration for wget can disrupt communication between the Console and the managed host. The deploy changes and replication processes use wget to retrieve configuration changes. If a proxy is enabled on appliances or wget is restricted for appliances in the network, the managed host cannot download the required files to deploy successfully. A timeout message is displayed.

Environment

This issue can occur when there is a proxy configured between a QRadar® Console and managed host. Networks that use proxies between Data Gateways appliances for QRadar® on Cloud Console appliances might also be impacted.

Diagnosing The Problem

To verify whether the wget request can complete on a managed host, type the following command:
```
wget --no-check-certificate --server-response "https://127.0.0.1/console/"
```
If the proxy is blocking the connection, the following message is displayed on the screen:
--2020-05-16 13:18:55-- https://127.0.0.1/console/ Resolving proxyname.server.com (proxyname.server.com)... 192.0.2.100 Connecting to proxyname.server.com (proxyname.server.com)|192.0.2.100|:3128... connected. Proxy tunneling failed: Service UnavailableUnable to establish SSL connection.

Results
The Proxy tunneling failed message indicates that the wget is routed through the proxy and unable to complete. The name and port of the proxy server are specified in the output. The proxy is unable to complete the request due to an SSL issue.

Resolving The Problem

To work around this issue, use one of the following methods:

Method 1: allowlist wget on your proxy

As the proxy blocks this traffic, you can add a allowlist for wget requests to go through the proxy. This allows the traffic to traverse the proxy, and the wget requests can be processed.

Results
The wget requests that are used with deploy changes and replication now bypass the proxy and now work.

Method 2: Bypass proxy for all wget requests

To bypass the proxy for wget requests, administrators can edit the wgetrc file on the QRadar appliance to disable the wget configuration from using the proxy settings by default. By default, the QRadar appliances are configured with use_proxy = on, but administrators who experience deploy issues can disable this option.

Use SSH to log in to IBM QRadar as a root user.
Optional. Open an SSH session from the QRadar® Console to the managed host that failed to deploy.
Open /etc/wgetrc in a text editor. For example, type:
```
vi /etc/wgetrc
```
Locate the use_proxy configuration setting. For example, type:
```
/use_proxy
```
By default, the use_proxy setting for wget is on.
# If you do not want to use proxy at all, set this to off.
#use_proxy = on
Press i to start insert mode in the vi editor.
Set the use_proxy setting to off and remove the leading hashtag. For example:
```
# If you do not want to use proxy at all, set this to off.
use_proxy = off
```
Note: The leading hashtag (#) must be removed for the change to take effect on the managed host.
Press Esc to exit insert mode.
To save your changes, type:
```
:wq!
```
Restart the hostcontext process for the changes to take effect:
```
systemctl restart hostcontext
```

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Tips