Troubleshooting
Problem
Unable to create an HA due to inconsistencies in the secondary peer that causes the primary to fail at connecting to it over SSH.
Symptom
After the HA wizard is populated with the correct information and trying to create the HA, the UI reports this error:
The following error can be seen in the /var/log/setup-xxx/qradar_hasetup.log of the primary peer.
[HA Setup (P-M----)] ESC[31m[ERROR] Failed to install ssh key on <Secondary peer IP>
Cause
Possible causes are:
- Secondary peer with a password set with too many special characters.
- Network inconsistencies such as port 22 is not opened (SSH service not active), filtered by firewalls or iptables.
- Secondary peer missing the /root/.ssh/ directory.
Environment
HA Cluster creation
Diagnosing The Problem
- Password with too many special characters.
- From the Console, use SSH to connect to the primary peer.
- From the primary, use SSH to connect to the secondary peer.
- When too many special characters exist in the password, the SSH might fail to connect and report:
Permission denied (publickey,password)
- Network blocking the connection.
- Log in to the IMM or XCC WebUI and start a Console connection to the secondary peer.
- Verify the sshd service is active.
systemctl is-active sshd
- Verify the port 22 is opened and listening.
netstat -napl | grep sshd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 15871/sshd
- Verify the iptables are accepting connections from any source to port 22.
iptables -L -n -v | grep 22
Right Output:3949 237K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
Wrong Output:3949 237K ACCEPT tcp -- * * <Console or other IP> 0.0.0.0/0 state NEW tcp dpt:22
- SSH directory missing.
- Use SSH to connect to the secondary peer.
- Verify the directory exists with permissions 700 and ownership root.
ls -lad /root/.ssh
Resolving The Problem
The administrators are advised to read the QRadar HA documentation to familiarize themselves with these deployments before running the steps in this technote. Also see:
1 Configure a simpler password and enable passwordless access between the primary and secondary
- Use SSH to connect to the primary peer.
- Copy the SSH keys to the secondary peer.
ssh-copy-id <secondary peer IP>
- Use SSH connect to the secondary peer.
- Temporarily change the password to a simpler one with fewer or nonspecial characters.
Note: This password can be changed later after the HA cluster is created without impact with the same command.passwd root
- SSH from primary to the secondary peer and confirm it does not ask for a password.
- Attempt to create the HA Cluster again.
2 Ensure the sshd service is active and configure iptables to allow connections from any source
- SSH to the secondary peer.
- Restart the sshd service.
systemctl restart sshd
- Verify the port 22 is opened and listening.
netstat -napl | grep sshd
- Configure a temporary entry in the iptables to allow connections from any source.
Note: This entry can be removed later after the HA cluster is created without impact.echo "-A INPUT -p tcp --dport 22 -j ACCEPT" >> /opt/qradar/conf/iptables.pre
- Reload the IP Tables service.
/opt/qradar/bin/iptables_update.pl
- Confirm the iptables services are running. If they are not, check QRadar: Troubleshooting iptables issues.
- SSH from primary to the secondary peer and confirm it can access. If the SSH cannot be established, check
-
Attempt to create the HA Cluster again.
3 Create and configure the SSH directory
- SSH to the secondary peer.
- Create the missing directory.
mkdir -pv /root/.ssh
- Set the right permissions.
chmod 700 /root/.ssh
- Set the right ownership.
chown root:root /root/.ssh
- Use SSH to connect from primary to the secondary peer and confirm it has access. If the SSH connection cannot be established, check
-
Attempt to create the HA Cluster again.
Results
The HA Cluster creation now succeeds.
If the creation still fails, the administrators are advised to raise a support case with IBM® QRadar® Support.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtXAAQ","label":"High Availability"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 October 2021
UID
ibm16498673