IBM Support

QRadar on Cloud: Data Gateway addition fails with error "Failed to call VPN client API on host"

Troubleshooting


Problem

The setup script /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p fails at retrieving the VPN client package. This error is typically a network issue either related to the configuration of /etc/hosts or a DNS resolution issue. The administrator can use this technical note to review the IP address and confirm their settings to successfully add the Data Gateway when "Failed to call VPN client API on host" errors occur.

Symptom

The setup script displays the following error:
Figure01

When you select Yes, you are returned to the command-prompt. The error message is displayed, Failed to call VPN client API on host <QRadar Cloud Console> to retrieve client package. For example,
Figure02

Cause

QRadar® on Cloud (QRoC) security layer sometimes provides a different resolvable IP causing the setup to connect to the wrong IP address.

Environment

QRadar® on Cloud Data Gateways

Resolving The Problem

  1. The administrator must ensure that the Data Gateway connection meets the network and firewall requirements. See Prerequisites for data gateways.
  2. Find the public IP address for your QRadar on Cloud Console:
    1. Method #1 - Look at the QRoC's Welcome email.
    2. Method #2 - Use the QRoC Self-Serve application in the user interface.
      1. Log in to the QRadar Console as an administrator.
      2. Click the Admin tab.
      3. In the left pane, select Apps.
      4. Click QRoC Self-Serve.
      5. Click Deployment.
  3. Add the QRoC's Console Public IP into the /etc/hosts file of the Data Gateway.
    1. Create a backup directory.
      mkdir -p /store/IBM_Support/
    2. Back up the current /etc/hosts file.
      cp -pfv /etc/hosts /store/IBM_Support/
    3. Add an entry with the Public IP and Console's number obtained in Step 2.
      echo "<Console's Public IP>  console-<Console Number>.qradar.ibmcloud.com" >> /etc/hosts
      Example:
      echo "10.11.12.254  console-99999.qradar.ibmcloud.com" >> /etc/hosts
    4. Verify the entry is added to /etc/hosts and displays the correct IP address.
      grep -i console /etc/hosts
      
    5. Verify the Console name resolves in DNS. This check must complete successfully and can be used to verify connection to the QRadar on Cloud Console.
      nc -zv console-<Console Number>.qradar.ibmcloud.com 443
    6. Add the Data Gateway to the QRoC deployment by using the mh_setup command.
      /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p
      

      Result
      The Data Gateway can request the VPN files from the Console's IP and continues until the appliance is successfully added to the deployment. If you continue to experience issues, administrators can confirm an allowlist is added for their Data Gateway to the QRadar on Cloud Console. QRadar on Cloud requires a transparent proxy or inline proxy that does not challenge for authentication on outbound connections.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS006941206","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
13 October 2021

UID

ibm16493259