QRadar: Checking SSH connectivity to ensure a connection can be formed

Troubleshooting

Problem

Establishing SSH connections between the Console and a Managed Host could return error messages that indicate issues with the network, NICs, firewall, or hosts that are down. This article provides an overview of errors like "No route to host","Connection timed out", and "Connection refused".

Symptom

Trying to establish an SSH connection from the Console to a Managed Host fails with a similar error:

ssh: connect to host 192.0.2.11 port 22: No route to host
ssh: connect to host 192.0.2.11 port 22: Connection timed out
ssh: connect to host 192.0.2.11 port 22: Connection refused
ssh: connect to host 192.0.2.11 port 22: Connection reset by peer

Cause

There are several potential issues why the SSH session could not establish:

Firewall blocking port 22.
The managed host is powered off.
The managed host presents NIC issues, for example, IP address misconfiguration, NIC down, and so on.
The managed host cannot be reached due to network configuration issues, for example, routing.
The SSH service is not running in the managed host.
The SSH negotiation fails.

Diagnosing The Problem

Administrators use the telnet command to validate whether the network is blocking the connection to the remote host:

The following examples show what a good SSH connection looks like:

ssh <Remote_IP>

Output example:

Last login: Thu Jun  8 09:47:17 2023 from X.X.X.X
This server was upgraded to QRadar <version>.
[root@remoteHost ~]#

Result
The administrator validated the SSH connectivity and can proceed with the Resolving The Problem section.

Resolving The Problem

Administrators who are trying to resolve the SSH connection issue see the explanation under each connection message.

SSH connection message: Connection timed out

[root@console ~]# telnet 192.168.0.77 22
Trying 192.168.0.77...
telnet: connect to address 192.168.0.77: Connection timed out.

Explanation
The "timed out" message is mostly related to a firewall quietly denying the connection but not sending the message back. Validate with your respective network administrator.

SSH connection message: Connection refused

[root@console ~]# telnet 192.168.0.77
Trying 192.168.0.77...
telnet: connect to address 192.168.0.77: Connection refused.

Explanation
The "connection refused" message is mostly related to a firewall actively blocking port 22. Validate with your respective network administrator.

SSH connection message: No route to host

[root@console ~]# telnet 192.168.0.77 22
Trying 192.168.0.77...
telnet: connect to address 192.168.0.77: No route to host

Explanation
The "no route to host" message means that the remote host is not reachable. The "no route" message shows up when the remote host is down or the network has no access to it.

For more information about SSH, see QRadar: About Secure Shell (SSH).

Related Information

QRadar: Troubleshooting SSH connections and tunnels issues

QRadar: About Secure Shell (SSH)

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Deploy","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips