IBM Support

QRadar on Cloud: Data Gateway appliance setup failed



Adding a Data Gateway appliance to QRadar on Cloud (QRoC) can fail when certain conditions are not met.  This guide provides troubleshooting techniques that help resolve common issues when your adding a data gateway.

Resolving The Problem

Pre-tests for before you add a Data Gateway appliance

Ensure you meet all the prerequisites.

  • Test your Data Gateway connection
    1. Use SSH to log in to your Data Gateway appliance as the root user.
    2. Run the following commands to ensure you can reach the Console:
      • Test your Data Gateway's connection to the Console:
        telnet x.x.x.x 443
        Note: replace x.x.x.x with the public IP of the QRoC Console provided in onboarding.
      • Test the Data Gateway's connection to the IBM VPN:
        telnet y.y.y.y 443
        Note: replace y.y.y.y with the IP of the QRoC VPN server provided in onboarding.
    3. If you are unable to successfully establish a connection, confirm your public IP is included in the allowlist. For more information, see Allowlisting an IP address.
    4. Retry the telnet commands to the Console and VPN.

    Information: to find your public IP, you can enter the following command:

    dig +short FQDN @DNS
    Note: Replace FQDN with your lookup value, and DNS with your server value. External http and https access to the site is required, otherwise your network team must provide you the public IP of your Data Gateway appliance.

  • Ensure the Data Gateway appliance can resolve the Console hostname

    Some environments do not have access to DNS, which can cause problems when your adding a data gateway.

    1. Create a token for the Data Gateway appliance by using the following instructions.
    2. Test the DNS connectivity with the following command.
      nc -zv FQDN 443
      Note: replace FQDN with the console's fully qualified hostname and domain.
    3. If you are unable to resolve the hostname, add the public IP of the console to your hosts file:
      echo "x.x.x.x  SHORTHOSTNAME FQDN" >> /etc/hosts
      Note: replacing x.x.x.x with the public IP of the Console, SHORTHOSTNAME with hostname, and FQDN with the fully qualified hostname with the domain.
    4. After the IP is added to the host file, rerun the procedure to confirm the hostname resolution.
  • Testing SSL Certificates

    This test ensures there is no proxy or web-catch modifying the certificates. If any proxy server or web cache is modifying the certificate, the host adding process fails.

    1. Test the SSL by using the following command with FQDN replaced with the consoles fully qualified hostname and domain for your deployment:
      openssl s_client -connect FQDN:443 -showcerts </dev/null | less
      Example of a successful response:
      Certificate chain
      i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
      -----BEGIN CERTIFICATE-----
      <certificate hash>
      -----END CERTIFICATE-----
      1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
      i:/C=US/O=DigiCert Inc/ Global Root CA
      -----BEGIN CERTIFICATE-----
      <certificate hash>
      -----END CERTIFICATE-----
      Server certificate
      issuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
      No client certificate CA names sent
      Peer signing digest: SHA512
      Server Temp Key: ECDH, P-256, 256 bits
      SSL handshake has read 3737 bytes and written 415 bytes
      SSL handshake has read 3737 bytes and written 415 bytes
      New, TLSv1/SSLv3, Cipher is AAAAA-AAA-AAA111-AAA-AAA111
      Server public key is 2048 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      Protocol  : TLSv1.2
      Cipher    : AAAAA-AAA-AAA111-AAA-AAA111
      Master-Key: <master key>
      Key-Arg   : None
      Krb5 Principal: None
      PSK identity: None
      PSK identity hint: None
      TLS session ticket lifetime hint: 7200 (seconds)
      TLS session ticket:
      Start Time: 1665573780
      Timeout   : 300 (sec)
      Verify return code: 0 (ok)
      Example of a failed response:
      verify error: num=20: unable to get local issuer certiticate
      If you receive something other than the correct certificate, ensure your proxy, or web-cache, freely passes the certificate with no modifications.  If you are using a proxy, it must be a transparent inline proxy as outlined in the Data Gateway appliance prerequisites.

Adding a Data Gateway appliance

When the pre-tests are complete, you can proceed with adding your Data Gateway appliance to QRoC.

  1. SSH into your QRadar console.
  2. Start the setup script
    /opt/qradar/bin/ mh_setup interactive –p
  3. When you add a Data Gateway, there is a two-step process.  The first step is to download and build the VPN package, the second step is to create the VPN tunnel to the Console. The VPN package is directly tied to the token for your Data Gateway appliance. After this point, the data gateway tries to pull the VPN package. Here you might see an error similar to:
    Traceback (most recent call last):
    File "/opt/qradar/bin/", line 1896, in checkAndCreatePid()
    File "/opt/qradar/bin/", line 1870, in checkAndCreatePid with open("/proc/%d/cmdline" % running_pid, 'r') as pid_cmd_file:
    FileNotFoundError: [Errno 2] No such file or directory: '/proc/29071/cmdline'
  4. After the script exits, confirm if the tunnel starts.
    Ifconfig tun0
  5. Verify with the command showing the VPN tunnel interface, which is a virtual interface on your system. If the tunnel is up, you see an output similar to the following:
    tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 32000
    inet 192.168.x.x  netmask  destination 192.168.x.x
    inet6 fe80::xxxx:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
    unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
    RX packets 100833357  bytes 8674333866 (8.0 GiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 541169286  bytes 799913312306 (744.9 GiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    If the interface does not exist, the error looks similar to the following:
    ifconfig tun0
    Tun0: error fetching interface information: Device not found

Common errors when your adding the Data Gateway
If you receive an error message when you attempt to add a Data Gateway appliance to QRadar on Cloud, select one of the following articles:

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS010893450","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
16 November 2022