IBM Support

QRadar: Network connectivity issues when using virtual appliances with dynamic MAC address

Troubleshooting


Problem

QRadar® virtual appliances with dynamic MAC address assignation might become inaccessible when using SSH after a reboot or network service restart. When the problem occurs, the error "Device xxx has different MAC address than expected" appears.

Symptom

When accessing the QRadar host by using SSH, it reports "No route to host". 
ssh: connect to host <QRadar IP ADDRESS> port 22: No route to host
The Console's user-interface does not load and reports timeout. 
Figure

Cause

QRadar requires static MAC address configuration on its interfaces. A host with dynamic MAC address assignation can acquire a new MAC address, which causes a mismatch on the network configuration files and the host becomes unreachable.

Environment

QRadar® deployments with virtual appliances.

Diagnosing The Problem

Administrators can log in to the VM from the serial console connection provided by the respective virtual platform or hypervisor and confirm the MAC address mismatch.
  1. Log in to the virtualization platform portal and start a serial or console connection to the appliance.
    Note: You must request this access to your virtual platform or hypervisor administrator.
  2. Review the network settings of the virtual machine. The following image shows an example of a VM running on Microsoft Hyper-V with dynamic MAC address settings.
    Figure2
  3. ​Verify the error by checking the status of the network service. 
    systemctl status network -l
    Output Example: 
    systemd[1]: Starting LSB: Bring up/down networking...
network[1280]: Bringing up interface ens192: ERROR : [/etc/sysconfig/network-scripts/ifup-eth]
               Device ens192 has different MAC address than expected, ignoring.
network[1280]: [FAILED]
systemd[1]: network.service: control process exited, code=exited status=1
systemd[1]: Failed to start LSB: Bring up/down networking.
systemd[1]: Unit network.service entered failed state.
systemd[1]: network.service failed.
  4. Check the MAC address reported by the OS. 
     ip -f inet link show ens192
    The following output shows the MAC address 00:50:56:8f:41:fb associated to the management interface ens192. 
    2: ens192: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc prio state UP mode DEFAULT group default qlen 1000
    link/ether 00:50:56:8f:41:fb brd ff:ff:ff:ff:ff:ff
  5. Check the MAC address reported in the network configuration files. 
    grep HWADDR /etc/sysconfig/network-scripts/ifcfg-<INTERFACE>
    The following output shows the MAC address 00:50:56:9e:33:58 associated to the management interface ens192. 
    HWADDR=00:50:56:9e:33:58
    Result
    The MAC address mismatch is shown, and administrators can proceed to the Resolving the Problem section.

Resolving The Problem

Administrators must engage their respective virtualization platform or hypervisor administrator to configure the virtual machine to have a static MAC address and reconfigure the configuration files, with the static MAC address provided.
IMPORTANT
Some hypervisors require the virtual machine to be powered off to edit the hardware, causing downtime on the services. The administrator must address this requirement with their Hypervisor Administrator and schedule this activity during a maintenance window when required.
The following image shows an example of a virtual machine running on Microsoft Hyper-V with static MAC address settings. This MAC address needs to be configured in the configuration files.
FigureIm
To reconfigure the configuration files, run the following steps:
  1. Power on the virtual machine.
  2. Log in to the virtualization platform portal and start a serial or console connection to the appliance.
  3. Check the MAC address matches the virtual machine network settings. In this article, the MAC address 00:50:45:9E:B9:02 is used as example
    Note: On Linux, the MAC address can be lowercase, thus 00:50:45:9E:B9:02 can be written as 00:50:45:9e:b9:02. 
     ip -f inet link show ens192
    The following output shows the MAC address 00:50:56:8f:41:fb associated to the management interface ens192. 
    2: ens192: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc prio state UP mode DEFAULT group default qlen 1000
    link/ether  00:50:45:9e:b9:02 brd ff:ff:ff:ff:ff:ff
  4. Reconfigure the HWADDR in the configuration files.
    1. Back up the current file. Change the interface name accordingly. 
      mkdir -p /store/IBM_Support/
cp -fv /etc/sysconfig/network-scripts/ifcfg-<INTERFACE> /store/IBM_Support/
    2. Edit the HWADDR with the one provided by the administrator. 
      sed -i 's/HWADDR=.*/HWADDR=<MAC ADDRESS>/' /etc/sysconfig/network-scripts/ifcfg-<INTERFACE>
      Output example: 
      sed -i 's/HWADDR=.*/HWADDR=00:50:45:9e:b9:02/' /etc/sysconfig/network-scripts/ifcfg-ens192
    3. Restart the network service. 
      systemctl restart network; systemctl status network
      Output example: 
      ● network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled)
   Active: active (exited) since Wed 2022-12-14 20:43:32 AST; 26s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 21665 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
  Process: 21930 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
    Tasks: 0
   Memory: 0B
Dec 14 20:43:26 <HOSTNAME> systemd[1]: Starting LSB: Bring up/down networking...
Dec 14 20:43:28 <HOSTNAME> network[21930]:  Bringing up loopback interface:  /sbin/ifup-local:
 line 116: [: Cannot get device ring settings: Operation not supported
Dec 14 20:43:28 <HOSTNAME> network[21930]: 0: integer expression expected
Dec 14 20:43:28 <HOSTNAME> network[21930]: [  OK  ]
Dec 14 20:43:32 <HOSTNAME> network[21930]: Bringing up interface ens192:  [  OK  ]
Dec 14 20:43:32 <HOSTNAME> systemd[1]: Started LSB: Bring up/down networking.
  5. Use SSH to log in to the QRadar Console as the root user.
  6. Optional. SSH to the Managed Host if the problem occurred on it.

    Result
    The MAC addresses now match, and the network connectivity is restored. If the network service does not start successfully, review again the settings with your virtualization platform administrator and do this procedure again.

    If network settings are correct and MAC address matches, but the network connectivity is not restored, contact QRadar Support for assistance.

Document Location

Worldwide

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
15 December 2022

UID

ibm16847825

Page Feedback