Troubleshooting device discovery and backup

Fix issues with device discovery and backup. You can look at the details for logs and error and warning messages to help you troubleshoot.

Device backup failure

Check device login credentials.
  1. On the Admin tab, click Configuration Source Management.
  2. Verify that the credentials to access the target device are correct.
  3. Test the credentials on the target device.

View device backup errors

To see backup errors, do the following steps:

  1. On the Admin tab, click Configuration Source Management.
  2. Click a device, and then click View error.

This table lists the error message identifier, the description of the message and the suggested troubleshooting action.

Table 1. Device backup errors
Backup errors Error description Suggested troubleshooting step
UNEXPECTED_RESPONSE Connection attempt timed out Verify that you're using the correct adapter.
INVALID_CREDENTIALS Credentials are incorrect Check credentials in Configuration Source Management.
SSH_ERROR Connection error Check that the device is working and is connected to your network. Use other network connection protocols and troubleshooting tools to verify that the device is accessible. Verify that the SSH connection protocol is allowed and that it is configured correctly.
TELNET_ERROR Connection error Check that the device is working and is connected to your network. Use other network connection protocols and troubleshooting tools to verify that the device is accessible. Verify that the Telnet connection protocol is allowed and that it is configured correctly.
SNMP_ERROR Connection error Check that the device is working and is connected to your network. Use other network connection protocols and troubleshooting tools to verify that the device is accessible. Verify that the SNMP is allowed and that it is configured correctly.
TOO_MANY_USERS The number of users that are configured to access this device is exceeded. Check the maximum number of users that are allowed to access the device by logging on to the device and checking the configuration for the maximum number of users that can access the device at the same time.
DEVICE_MEMORY_ERROR Device configuration errors Verify that the device is working correctly. Access the device and verify the configuration and check the logs for errors. Use your device documentation to help you to troubleshoot errors.
NVRAM_CORRUPTION_ERROR Device access issues In Configuration Source Management, check the access level of the user name that is configured to access the device.
INSUFFICIENT_PRIVILEGE User that is configured to access the device has insufficient privilege In Configuration Source Management, check the access level of the user name that is configured to access the device.
DEVICE_ISSUE Error on the device Select the device in Configuration Source Management and click View error to see more details.

Backup completes with parse warning

To view more detail about the warning, do the following steps:

  1. Click the Risks tab.
  2. From the navigation menu, click Configuration Monitor.
  3. Click See Log for the selected device in the Device List table.

Verify whether you have the most recent adapter versions

To check your adapter versions, log in as root to the QRadar® Risk Manager appliance and then type the following command:

yum list adapter\*

You can look for date information in the names of the adapters to help you determine the release dates.

To download the most recent adapter bundle, do the following steps:
  1. Go to IBM® Fix Central (https://www.ibm.com/support/fixcentral/).
  2. In the Product selector field type Risk Manager to filter your selection.
  3. Click IBM QRadar Risk Manager.
  4. From the Installed Version list, select the version that is installed on your system.
  5. From the Platform list, select the operating system that is installed on your system, and then click Continue.
  6. Click Browse for fixes, and then click Continue.
  7. To download the most recent adapter bundle, click the adapter-bundle link on the top of the Adapter list.

Verify whether your device backup is current

To verify whether you have a recent backup, do these steps:

  1. Click the Risks tab.
  2. From the navigation menu, click Configuration Monitor.
  3. Double-click the device in the Device List table.
  4. From the toolbar, click History. The most recent configuration that is imported is displayed.
If you don't think that you have the most recent configuration, verify by running the backup again.

Error when importing configurations from your devices

An incorrectly formatted CSV file can cause a device backup to fail. Do these steps to check the CSV file:
  1. Review your CSV file to correct any errors.
  2. Re-import your device configurations by using the updated CSV file.

Failure to discover devices from Check Point SMS (OPSEC)

Follow all steps in the "Adding devices that are managed by a CPSMS console" section of the IBM QRadar Risk Manager Adapter Configuration Guide, especially steps 7 and 8 where the OPSEC fields must be precise.

Device backup failure because of login message or message of the day

Adapters that use Telnet and SSH to connect to devices use regular expressions (regex) to match device prompts. If characters in the login message or the message of the day match the regex, then the backup process might fail.

For example, if you use the following login banner for the Cisco ASA, the backup fails because the adapter operates as if the # character in the login message is the device prompt when the regex #\s*$ is matched.

############### Welcome to ASA ###############

The following table lists the adapters and their regexes that are impacted by these backup failures:

Table 2. Adapters and their regexes
Adapter Regexes (single quotes (') are used as delimiters)
CheckPoint SecurePlatform 
'sername:|(?<!Last)\s+login:'
'[Pp]assword:'
'(#|\$|>)\s*$'
Cisco SecurityAppliance (ASA) 
'sername:|ogin:'
'[Pp]assword:'
'>\s*$'
'#\s*$'
Cisco Nexus 
'sername:\s*'
'assword:\s*'
'(^|\n|\r)[^#^\n^\r]+#\s*$|[^#^\n^\r]+#\s*\S+#\s*$'
'\/hello>\W+?'
Cisco IOS 
'maximum number of telnet'
'assword required, but none se'
'sername:'
'assword:'
'PASSCODE:'
'(?m)^\w\S*#\s*(?![\n\r])$'
'(?m)^\w\S*>\s*(?![\n\r])$'
'any key to'
'User Interface Menu'
Cisco CatOS 
'sername:|ogin:'
'[Pp]assword:'
'\n\S+\s$'
'\(enable\)\s*$'
'(^|\n|\r)[^>^(\n|\r)]+>\s*$'
HP ProVision 
'\S+>'
'\S+#'
'sername:\s*\Z'
'ogin as:'
TippingPoint IPS 
'sername:|ogin:'
'assword:'
'(#|\$|>)\s*$'
CheckPoint OPSEC 
'sername:|(?<!Last)\s+login:'
'[Pp]assword:'
'(#|\$|>)\s*$'
McAfee Sidewinder 
'sername:|(?<!Last)\s+login:|(login:\s+)$'
'[Pp]assword:'
'(#|\$|>|%)\s*$'
Juniper ScreenOS 
'sername:|ogin:'
'[Pp]assword:'
'(#|>)\s*$'
Juniper JUNOS 
'^\s*login:'
'assword'
'%'
'.+>'
Juniper NSM 
'sername:|(?<!Last)\s+login:'
'[Pp]assword:'
'(#|\$|>)\s*$'
Sourcefire 3D 
'(#|\$|\>)\s*$'
'(\>\s*expert\a?)\s*$'
'([Pp]assword)\s*\:\s*$'
F5 BIG-IP 
'sername:|ogin:\s*$'
'continue connecting \(yes\/no\)\?\s*$'
'[Pp]assword:\s*$'
'(#|\$)\s*$'
Fortinet FortiOS 
'sername:|(?<!Last)\s+login:'
'[Pp]assword:'
'(#|\$|>)\s*$'
Nokia CheckPoint 
'sername:\s*$|ogin:\s*$'
'[Pp]assword:'
'Terminal\s+type\?'
'(#|\$|>)\s*$'