IBM Support

QRadar: Unable to readd managed host due to error "No connection to tomcat".

Troubleshooting


Problem

A managed host cannot be readded after successfully being removed while being offline or unreachable (UNKNOWN state). The addition process fails when the managed host tries to connect to Tomcat.

Symptom

On the Console WebUI, the addition process will fail with the following error:
Error01
The following error appears in /var/log/qradar.log:
[hostcontext.hostcontext] [2c3bfc3c-df07-4ea8-a156-cc0a6642c794/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [INFO] [NOT:0000006000][<IP of Console>/- -] [-/- -]Executing presence on host <IP of Managed Host> using console ip <IP of Console>
[hostcontext.hostcontext] [2c3bfc3c-df07-4ea8-a156-cc0a6642c794/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][<IP of Console>/- -] [-/- -]Failed to read output from ssh connection on host <IP of Managed Host> 
[hostcontext.hostcontext] [2c3bfc3c-df07-4ea8-a156-cc0a6642c794/SequentialEventDispatcher] com.q1labs.configservices.common.ConfigServicesException: Failed to read output from ssh connection on host <IP of Managed Host>

Cause

This issue occurs when the managed host is removed from the deployment when is not reachable from the Console.
Due to the unreachability, a portion of the removal process (scriptToRemoveMH.sh) is not run in the managed host. This causes the managed host to believe it's still part of the deployment.

Diagnosing The Problem

After the add host process fails, the following errors can be seen on the affected managed host:

On the /var/log/setup-xxxx-/presence.log:

[presence.pl-18815]: Update CA trust anchor to console host

[presence.pl-18815]: Syncing local time to console host

[presence.pl-18815]: Restarting hostservices to pick up time change

[presence.pl-18815]: Testing tomcat connection ...

[presence.pl-18815]: Tomcat is not connected. ERROR:100024

On the /var/log/qradar.log:

[test_tomcat_connection] [main] com.q1labs.core.shared.jsonrpc.RPC: [INFO] [NOT:0000006000][<IP of Managed Host>/- -] [-/- -]The console IP in the connect url is equal to the real console IP. Won't try again. Throw the original error.

[test_tomcat_connection] [main] com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR] [NOT:0000003000][<IP of Managed Host>/- -] [-/- -]Exception occured while attempting to communicate with tomcat.

[test_tomcat_connection] [main] com.q1labs.hostcontext.backup.core.BackupUtils: [INFO] [NOT:0000006000][<IP of Managed Host>/- -] [-/- -]No connection to tomcat

Resolving The Problem

  1. Log in to the affected managed host.
  2. Stop the hostcontext service.
     
    systemctl stop hostcontext
  3. Backup and overwrite the /opt/qradar/conf/nva.conf with a template one.
    1. Create the backup directory:
      mkdir -p /store/IBM_Support/
    2. Take a backup of the /opt/qradar/conf/nva.conf
      cp -av /opt/qradar/conf/nva.conf /store/IBM_Support/nva.conf.orig
    3. Overwrite the file:
      cp -av /opt/qradar/conf/templates/nva.conf /opt/qradar/conf/nva.conf
  4. Retry to add the managed host.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS004662393","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
15 February 2021

UID

ibm16408992