IBM Support

QRadar EDR (formerly ReaQta): Troubleshooting registration errors that occur during client installation

Troubleshooting


Problem

When you are installing the QRadar EDR (formerly ReaQta) endpoint client, the installer can report a 'Registration Failed' error.

Symptom

image-20220311155511-1

Cause

Registration issues are related to one of the following causes:
Backend Communication Problem
Code 403 - Invalid CSRF Token
Code 409 - The endpoint is already registered
Code 442 - The group ID "GIDs" is missing or incorrect, or, the maximum number of endpoints has been installed.
Code 503 - The server license is not ready
To locate the errors reported:
For Windows installations, the registration error log is located in the folder %TEMP% (the expanded path is the following: C:\Users\<YOUR_CURRENT_USER>\AppData\Local\Temp) and begins with rqt_installer
For MacOS installations, the error log is visible from the terminal at installation time.
For Linux installations, the error log is visible from the terminal at installation time. The rqt_installer log files are also located in /tmp.

Backend communication problem

Here is an example of a Windows installer-log-entry that shows problems with communications back to the Hive Server:
1647016140900 - ReaQta Installer:
Status: 0
Response:
Exception: Backend communication problem.
If you experience communication issues with a linux installation, you won't get a clear 'Exception' like you do with a Windows installation, instead getting this message:
ReaQta Installer:
Status: 0
Response:
Exception: * Line 1, Column 1 Syntax error: Malformed token
These messages will appear in the console along with the report above:
retryHelper error code 113
sync_request exceptionFailed to connect to any resolved endpoint
If a 'Backend communication problem' is reported, check the following:
  1. Is the registration address correct?
  2. Is the endpoint able to directly reach the backend server? Are there any proxies requiring authentication in the path?
  3. Are there any firewalls in the path that are blocking the traffic?
  4. What is the status of the backend server? Is it offline?
  5. If you open a browser and test the registration address, does it connect? If the connection is successful, the expected response is a 404 error.
    image-20220325160059-1
  6. Launch a command prompt with Administrator privileges and use these commands to check for proxy configuration: 
    #Show proxy
netsh winhttp show proxy
#Delete proxy
netsh winhttp reset proxy
#Configure proxy
netsh winhttp set proxy <proxy>:<port>

403 Error Code

The 403 error code indicates the registration address is incorrect. Verify the address and retry the installation.

409 Error Code

Here is an example of an installer log entry reporting a 409 error code:
1647031875587 - ReaQta Installer:
Status: 409
Response: {"endpointId":"840627178277175296","machineId":"f51848b25fec5096a04b5e3ac4256acd6ab8993ba03326dae930fbca74d682ea"}
Exception:
The 409 error code means the endpoint is already registered to the Hive backend server. This is most commonly associated with cloned machines, which if the case, requires sysprep to run on the endpoint. This can also occur if a backup or VM snapshot is restored before the client installation and installation is then run again.
In the example above, if you access the backend server web interface, you can use the URL below to access the conflicting endpoint registration:
https://name_or_ip/endpoints/840627178277175296


For more information on sysprep, click the following link from Microsoft: Sysprep process overview

442 Error Code

Here are examples of an installer log entry reporting a 442 error code:
  
1647033646145 - ReaQta Installer:
Status: 442
Response: {"type":"invalid-license-error-during-into-group-registration","error":"Can not register to groups"}
Exception:

1647033646145 - ReaQta Installer:
Status: 442
Response: {"type":"invalid-license-max-endpoints"}
Exception:
The 442 error code indicates either:
  • The group ID "GIDs" parameter is incorrect or missing. To determine the correct GIDs parameter to use, login to the backend server and navigate to Administration > Update Manager. Click the package you are trying to install and click the Installer Download tab. If you select a group, it displays the correct GIDs value to use.
    image-20220311163437-1
  • The 442 error code can also indicate the maximum number of endpoints has been installed and either the license needs to be updated or endpoints must be uninstalled first.
  • The 442 error code can also indicate the machine experienced a hardware change that invalidated the local license ID. It’s currently necessary to:
    1. Uninstall the corresponding endpoint from the dashboard
    2. From the endpoint, uninstall the agent from the command line
    3. Reinstall as usual

503 Error Code

Here is an example of an installer log entry reporting a 503 error code:
1647033646145 - ReaQta Installer:
Status: 503
Response: {"type":"license-not-ready-error"}
Exception:
This error code indicates a problem with the server license. Contact support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSVAA2","label":"Agent-\u003EInstallation"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Document Information

Modified date:
17 May 2023

UID

ibm16562995

Page Feedback