Troubleshooting
Problem
The communication between two hosts is not bidirectional causing issues with tunnels and services.
Symptom
A collector stopped sending data to its target processor and no logs are coming from this device.
Cause
The network is not allowing bidirectional communication as a security measure.
Environment
The scope of this guide is deployments that have processors and collectors since the error is usually found in the communication of a collector to its target processor.
For example, a deployment with:
- Console
- Event Processor
- Event Collector
The network allows the processor to communicate with the collector but denies any communication from the collector to the processor.
The following image illustrates a network with unidirectional communication.
The following image illustrates a network with unidirectional communication.
Diagnosing The Problem
A collector is not able to connect to its target processor:
[root@qradar-ec ~]# ssh qradar-ep
ssh: connect to host qradar-ep port 22: Connection timed out
The target processor is able to connect with the collector:
[root@qradar-ep ~]# ssh qradar-ec
Last login: Thu May 25 14:53:28 2023 from X.X.X.X
[root@qradar-ec ~]#
Note: Administrator must verify that the target event processor is able to SSH into its associated event collector to ensure the tunnels are successfully initiated.
Resolving The Problem
Administrators who want to enable remote tunnel initiation to avoid communication errors run the following steps:
Note: The following steps do not enable bidirectional communication but allow the processor to start all the necessary connections with its associated collector.
- Log in to the QRadar Console as an administrator.
- On the Admin tab, click System and License Management.
- Make sure that Display shows Systems.
- Click the collector appliance with communication issues.
- Click Deployment Actions.
- Click Edit Host.
- Click the checkbox for Remote Tunnel Initiation to enable or disable this feature.
- Deploy changes.
Result
The administrator enabled remote tunnel initiation and now the processor starts all the communications with the collector. For more information about remote tunnel initiation, see QRadar: How to disable or enable remote tunnel initiation.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 June 2023
UID
ibm16998773