Troubleshooting
Problem
Scan imports from Rapid7 Nexpose installations that use Import Site Data - Adhoc Report via API with larger reports can be halted by session timeouts. This article outlines the causes to help administrators troubleshoot API connection issues.
Symptom
QRadar scan imports that use the Collection Type Import Site Data - Adhoc Report via API do not import data properly and generate timeout errors.
Cause
Many of the reported issues around API site imports are caused by scanning large sites that take several hours or more to complete. Large reports cause a race condition between the time it takes for the report to generate and the default session timeout values on the Nexpose appliance. Large site reports that take over 3 hours can also cause the QRadar side of the connection to close. In most cases, administrators can review the error logs to determine the root cause of the issue. Once the cause is identified, then the administrator can determine whether it is possibly to extend the timeout values on the Nexpose appliance or create smaller adhoc reports.
Diagnosing The Problem
Rapid7 Nexpose must successfully generate a site scan report before the session timeout value expires. To determine whether the connection was terminated by the Nexpose appliance or by QRadar, the administrator can review the QRadar error log at var/log/qradar.error. The QRadar appliance logs when the connection was opened to the remote Nexpose appliance and the returned error is logged. The administrator can compare the timestamps to determine when the connection was closed, which might determine which timeout value caused the issue.
Typical error messages
The web server session timeout expired on the Nexpose appliance or an external source terminated or dropped the connection, and a 'Connection reset' error message is written in the logs.
An example of a connection reset error:
Jul 30 14:59:29 10.10.10.144 [vis0.vis] [Rapid7 Nexpose Scanner-1-worker] java.net.SocketException: Connection reset
The API request made by QRadar is not seen any data in the last 3 hours and the error message indicates that QRadar closed the socket listening for report data. This error indicates that the report includes too many IPs and can be reduced to smaller multiple scans.
An example of a timeout error:
Jul 29 11:52:29 10.10.10.144 [vis0.vis] [Radpid7 Nexpose Scanner-1-worker] com.q1labs.vis.exceptions.ScannerTaskException: Timeout of [10800000] milliseconds exceeded waiting for adhoc report generation - cannot process report for SiteID [12]
Resolving The Problem
Before you start
The Nexpose administrator can review the error log to determine and record the time difference between when the adhoc report started and when the error message occurred. The start of the report generation is identified in the logs. The timestamps can help identify the root cause of the connection reset.
In this example, the connection reset occurred exactly 5 minutes after the scan started. This behavior can be caused by a short timeout value, such as the web server timeout on the Nexpose administration tab.
Start of scan message example:
Jul 29 11:45:26 10.10.10.144 [vis0.vis] [Rapid7 Nexpose Scanner-52-worker] com.q1labs.vis.scanners.rapid7_nexpose.NexposeTaskModule: [INFO] [NOT:0000006000][10.10.10.144/- -] [-/- -]Submitted Adhoc report request for Site [PRD-ENT-A] with ID [5] - awaiting results
Connection reset error example:
Jul 29 11:50:26 10.10.10.144 [vis0.vis] [Rapid7 Nexpose Scanner-1-worker] java.net.SocketException: Connection reset
If the issue is a short timeout, follow this procedure to increase it.
Procedure
- Log in to the Rapid7 Nexpose user interface.
- Select the Administration tab.
- From Nexpose Security Console, select Manage.
- From the navigation menu on the left side of the Nexpose Security Console Configuration window, select Web Server.
- Increase the value for Session timeout (in seconds).
- Click Save.
Results
If the issue persists after increasing the timeout, check the following:
- Administrators can review network proxies or firewalls that might be closing connections when no traffic exists. It is possible that an outside network resource is closing what it perceives as an open connection, when in reality the connection is waiting for the adhoc scan to complete and provide data back to QRadar.
- If the issue is timeout-related, then administrators can review and reduce the number of IPs being scanned by Nexpose. If the scan is taking more than 3 hours to complete, then QRadar might be closing the connection. The administrator can separate large scans in to smaller IP ranges and run multiple scans. This issue is identified by the timeout error message in the QRadar logs:
Jul 29 11:52:29 10.10.10.144 [vis0.vis] [Radpid7 Nexpose Scanner-1-worker] com.q1labs.vis.exceptions.ScannerTaskException: Timeout of [10800000] milliseconds exceeded waiting for adhoc report generation - cannot process report for SiteID [12] - If you are still having issues importing large sites that use the API, you can use the Import Site Data - Local File. This collection type works by copying completed Nexpose (XML) scans to the QRadar appliance responsible for importing the vulnerability data.
[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"VA Scanners","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
27 May 2022
UID
swg21883276