Troubleshooting
Problem
The first action of the setup script "/opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p" to add Data Gateways is to request the VPN client package to the QRadar on Cloud Console. When the networking devices are not properly configured to allow this request or permit the return traffic, the addition fails.
Administrators can use this technical note to review and confirm their networking settings to successfully add the Data Gateway when this problem occurs.
Symptom
The setup script displays the error "An attempt to contact the API located on 'console-xxxxx.qradar.ibmcloud.com' has failed: Unknown connectivity error".

When administrators select Yes, the setup continues and returns to the command prompt. The error message "Failed to run command 'mh_setup': argument of type 'NoneType' is not iterable" is displayed and the token is not retrieved.
Downloading VPN client package from 'console-xxxxx.qradar.ibmcloud.com'...
Failed to run command 'mh_setup': argument of type 'NoneType' is not iterable
File "/opt/qradar/lib/python/qradar/command_line.py", line 192, in executeCommand
self.cmd.execute(self.opts, self.args, self.parser)
File "/opt/qradar/bin/setup_qradar_host.py", line 412, in setup
input_obj.proxy_port, input_obj.proxy_username, input_obj.proxy_password)
File "/opt/qradar/bin/setup_qradar_host.py", line 427, in setupImpl
downloaded_file = downloadPackageImpl(server, token)
File "/opt/qradar/bin/setup_qradar_host.py", line 566, in downloadPackageImpl
callVPNAPI(archive_file, server, token)
File "/opt/qradar/bin/setup_qradar_host.py", line 1599, in callVPNAPI
if "1002" in details.error_content or details.invalid_token():
Cause
This error is typically a networking issue when a proxy or firewall is not properly configured to permit request to port 443 and its response (return traffic). It can also be caused when the proxies or firewall are lacking extra configurations such as allowing https traffic.
Note: Certain firewalls require extra configurations such as allowlist the "ibm.cloud" domain.
Environment
QRadar® on Cloud Data Gateways
Resolving The Problem
- The administrator must ensure that the Data Gateway connection meets the network and firewall requirements. See Prerequisites for data gateways.
- Ensure that the public IP address of the data gateway appliance is allowlisted in QRadar on Cloud.
- Ensure the token was created to the right private IP of the Data Gateway.
- Use a static IP address to connect to QRadar on Cloud through your gateway appliance. Do not use any IP address in the 192.168.0.0/16 network range.
- The gateway appliance must be behind a network address translation (NAT) firewall.
- Data Gateways routed through a proxy server, must ensure the proxy is configured as transparent or inline that does not challenge for authentication.
- Allow connections to the QRadar Console and VPN Server Public IP on port 443.
- Allow established and related traffic (return traffic) to the port 443 connections.
- Allow HTTPS and OpenVPN traffic to the port 443 connections.
- DNS servers must reflect the correct IP address of the Console hostname. See the following article to workaround a DNS resolution issue.
- Verify the Console name resolves in DNS. This check must complete successfully and can be used to verify connection to the QRadar on Cloud Console.
nc -zv console-<Console Number>.qradar.ibmcloud.com 443
- Remove any leftover configuration resulted from the previous attempt.
- Add the Data Gateway to the QRoC deployment by using the mh_setup command.
/opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p
Result
The Data Gateway can request the VPN files from the Console's IP and continues until the appliance is successfully added to the deployment. If the setup fails with the same error, administrators must double check the network requisites stated in the "Resolving the Problem Section" and engage the respective networking team to meet the requisites.
If the attempt fails with a different error, contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 June 2022
UID
ibm16598659