Troubleshooting
Problem
A Managed Host connection fails to be established from the Console due to a NAT configuration translating the connection and no NAT Group is configured. The addition process and tunnel connection may fail in certain scenarios.
Symptom
The symptoms may vary depending on which host originates the connection and which way (inbound or outbound) the network device is doing the translation. Some scenarios and their symptoms are:
Scenario #1 - Console connection to the Managed Host being translated.
A Managed host can't be added to the deployment. The following error message appears in the /var/log/qradar.error file.
[hostcontext.hostcontext] com.q1labs.configservices.capabilities.AddHost: [ERROR][-/- -]SSH connection or SSH command execution failed. The ip of the host is: <Managed Host IP>
This also affects the tunnel creation fails when an attached managed host gets encryption enabled.
Scenario #2 - Managed Host connection to the Console being translated.
Managed hosts already part of the deployment report issues when connecting back to the Console in some services.
Example of ecs-ec to ecs-ep affectation:
Example of ecs-ec to ecs-ep affectation:
[ecs-ec.ecs-ec] [ecs-ec/EC/TCP_TO_EP:TakeFromQueue] com.ibm.si.ec.destinations.StoreForwardDestination(ecs-ec/EC/TCP_TO_EP): [WARN] [NOT:0000004000][-/- -]IO Error
[ecs-ec.ecs-ec] [ecs-ec/EC/TCP_TO_EP:TakeFromQueue] java.io.IOException: Broken pipe
[ecs-ec.ecs-ec] [ecs-ec/EC/TCP_TO_EP:TakeFromQueue] com.ibm.si.ec.destinations.StoreForwardDestination(ecs-ec/EC/TCP_TO_EP): [WARN] [NOT:0000004000][-/- -]Unable to connect to server
Example of replication affectation:
<Managed Host IP> replication[49309]: Response is empty: .
<Managed Host IP> replication[49309]: Could not download database updates: 0
<Managed Host IP> replication[49309]: Will attempt with the next address.
<Managed Host IP> replication[49309]: Response is empty: 0 .
<Managed Host IP> replication[49309]: Failed to download updates. Is the console online?
Document Location
Worldwide
[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS004773797","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
25 October 2023
UID
ibm16403123