QRadar: Troubleshooting network connectivity on VMware host

Troubleshooting

Problem

After a reboot of a VMware host, the MAC address associated with the management interface can change from what was originally configured. As a result, the management interface does not get an IP when the network service is started.

Symptom

VMware host is unable to access the network and is not reachable from any other host.

Cause

For VMware hosts, if the MAC address is set to automatic and not manual, it causes the host to have no network connectivity after a reboot.

Environment

VMware managed hosts.

Diagnosing The Problem

Confirm that the QRadar host is not reachable from any other host.

Open the vCenter console for the QRadar host and login as root.
Run the following command:
```
ip addr show dev `cat /etc/management_interface`
```
Result
If the host does not have an IP address, the host is not reachable. Follow the steps in Resolving the Problem to troubleshoot the issue.

Resolving The Problem

Steps

If you experience communication issues due to the management interface not receiving an IP address, compare the HWADDR values.

Open the vCenter console for the QRadar host and login as root.
Run the following command and note the HWADDR value:
```
ip link show dev `cat /etc/management_interface`
```
Run the following command and note the configured value:
```
grep HWADDR /etc/sysconfig/network-scripts/ifcfg-`cat /etc/management_interface`
```
Note: The command uses the back-tick character (ascii 96), not single quotation mark.
Compare the noted values.

Result
If the HWADDR values are different, you can either edit the file or change the configuration for the host in vCenter. You might need to speak to your VMware admins to get their preferred solution. Select one of the following options to resolve this issue:

To edit the file
1. Use vi to edit the config file.
```
vi /etc/sysconfig/network-scripts/ifcfg-`cat /etc/management_interface`
```
2. Change the line HWADDR=xx:xx:xx:xx:xx:xx to HWADDR=yy:yy:yy:yy:yy:yy where yy:yy:yy:yy:yy:yy is the value returned from the command:
```
ip link show dev `cat /etc/management_interface`
```
3. Save the file.
4. Restart network service by running the following command:
```
 systemctl restart network
```
5. Verify IP by running the following command:
```
 ip addr show dev `cat /etc/management_interface`
```
6. Verify default gateway by running the following command:
```
route -n
```
7. Verify host accessible with ssh from a workstation terminal by running the following command:
```
ssh {user}@{IP}
```
To change the configuration for the host in vCenter:
1. Log in to vCenter and change the configuration for the host.
2. In Network Settings, set the MAC address to the value originally configured from HWADDR= field in the ifcfg file and make sure it is set to manual.
3. Save this change.
4. Reboot the host.
  
  Results
  After the host restarts, ensure it is accessible.

Related Information

QRadar: Basic network troubleshooting workflow

QRadar: Networking troubleshooting of interfaces and connections by using the c…

QRadar: Network issues and support policies

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips