IBM Support

QRadar: SSH connection is closed with error "Server unexpectedly closed network connection"

Troubleshooting


Problem

The SSH session is closed and prevents administrators from doing tasks on the QRadar Console CLI.

Cause

Possible causes for this problem can be:
 
  • Poor performing network.
  • Unauthenticated SSH sessions crossed the threshold.

Diagnosing The Problem

Having a poorly performing network or reaching the SSH unauthenticated sessions threshold can cause the SSH sessions to be closed.
Poor performing network
Administrator must determine with their respective networking team when the network is experiencing issues such as network congestion to the Console.
Unauthenticated sessions
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Check the number of unauthenticated SSH sessions. 
    ps aux | echo "Unauthenticated sessions: " `grep -c "^sshd.*sshd:.*\[net\]"`
    Output example: 
    Unauthenticated sessions:  0
    Result
    Administrators know how many unauthenticated SSH sessions have.

Resolving The Problem

Before running the steps in this section, Administrators must determine whether they are experiencing one of the issues listed in the Diagnosing The Problem section.
Poor performing network
Administrators must resolve the network issues with their respective networking team.
Unauthenticated sessions
The administrator can temporarily work around the issue by increasing the MaxStartups parameter. This parameter is used to limit the number of concurrent unauthenticated connections to the SSH service. In this example, we're increasing the value from 10 to 100 allowed connections.
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Back up the ssh config file. 
    cp /etc/ssh/sshd_config /store/ibm_support/sshd_config.backup-$(date +%F)
  3. Use the sed command to change the MaxStartups value. 
    sed -i 's/#MaxStartups.*/MaxStartups 100/g' /etc/ssh/sshd_config
  4. Validate the new changes. 
    grep MaxStartups /etc/ssh/sshd_config
    Output example: 
    MaxStartups 100
  5. Restart the SSH service. 
    systemctl restart sshd

    Result
    The maximum number of unauthenticated SSH sessions allowed is increased. If you still have issues connection issues, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
25 October 2023

UID

ibm16952373

Page Feedback