IBM Support

QRadar: High Availability appliance is in Unknown state, 'Sent update status of host to unknown'

Troubleshooting


Problem

Administrators who experience issues where the high availability (HA) displays 'Unknown' in the user interface from the Console. The unknown state of the standby appliance can be confirmed with the HA state command. If the primary appliance cannot connect to the secondary appliances due to a missing SSH key, the following error is displayed: Sent update status of host xx.xx.xx.xx to UNKNOWN.

Symptom

The System and License management interface from the Admin tab can displays the Host Status column as 'Unknown'. For example:
image 6303


The logs on the active HA appliance can display the following INFO message in /var/log/qradar.log.
  [hostcontext.hostcontext] [Server Host Status Processor] com.q1labs.configservices.controller.ServerHostStatusUpdater:   [INFO] [NOT:0000006000][192.168.0.97/- -] [-/- -]Sent update status of host 192.168.0.98 to UNKNOWN
    

Resolving The Problem

This issue is caused by the standby appliance is missing the proper ssh keys. To resolve this issue use this procedure.
  1. Use SSH to log in to the Console as root user.
  2. Open an SSH session to the active HA appliance.
  3. To verify the state of the HA appliance, type:
    /opt/qradar/ha/bin/ha state
  4. Navigate to /var/log/qradar.log.
  5. Review the output to determine the HA appliance with an Unknown state:
    /var/log/qradar.log: [hostcontext.hostcontext] [Server Host Status Processor] com.q1labs.configservices.controller.ServerHostStatusUpdater: [INFO] [NOT:0000006000][192.168.0.97/- -] [-/- -]Sent update status of host 192.168.0.98 to UNKNOWN

    Note: In this example the active appliance is 192.168.0.97. The standby appliance is 192.168.0.98 and displays 'Unknown' as the status. Administrators can run the ha state command again to write a ha appliance status message in /var/log/qradar.log.
  6. To copy the SSH keys to the active HA appliance, type:
    ​ssh-copy-id {STANDBY_NODE_IP}
    Where {STANDBY_NODE_IP} is the address of the Standby appliance.
    ssh-copy-id 192.168.0.98
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    root@Standby_Node_IP's password: #############
    
    Number of key(s) added: 1
    
    Now try logging into the machine, with: "ssh 192.168.0.98"
    and check to make sure that only the key(s) you wanted were added.
    Results
    After the copy is complete, the administrator can attempt to SSH to the standby appliance. Administrators can verify the status with the /opt/qradar/ha/bin/ha state utility. If you continue to experience issues with Unknown appliances, contact QRadar Support

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtXAAQ","label":"High Availability"}],"ARM Case Number":"TS004101129","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.0;7.3.1;7.3.2;7.3.3;7.4.0;7.4.1"}]

Document Information

Modified date:
24 September 2020

UID

ibm16326029