IBM Support

QRadar: Getting "RTNETLINK" error while changing the IP Address of a host using qchange_netsetup

Troubleshooting


Problem

In some scenarios, the qchange_netsetup utility can fail to update network configuration changes due to "RTNETLINK" errors.

Symptom

Admins might see one of these errors when changes are committed in the network setup screen.
Network config errors

Cause

Typically the RTNETLINK errors are the result of static routes, unexpected devices, or any other missing or invalid parameters in the network configuration. Since the errors are a symptom of a configuration issue, the cause might be different depending on the environment. The intent of this article is to provide administrators with common areas to check in the configuration where issues might be found that are causing the RTNETLINK errors.

Resolving The Problem

Warning: Before you take any action to resolve network issues on a QRadar host, it is highly encouraged to work on the system by using out of band access. Some examples of out of band access are:
  1. Connecting a monitor and keyboard to the physical server 
  2. Accessing the host from an iLO/IMM/XCC module to use the remote console feature
  3. If the host is a virtual machine, use the hypervisor's VM management system to open a console session
Avoid access through ssh when you make changes to the local network settings, and when you restart network services. If any changes to the configuration are invalid, causing failure of the network and sshd services, admins then have no access to the host until an out of band method is attained.

RTNETLINK answers: File exists

  1. If there is any "ifcfg-*" file in the "/etc/sysconfig/network-scripts/" directory that references a network interface that does not exist in the system, you might see the "File exists" error. Administrators can run the following commands on the CLI of the host to verify the names of the configured network interfaces:
      
    ifconfig
    ip link show
    You can then compare to see whether there's any "/etc/sysconfig/network-scripts/ifcfg-*" file that references an interface not found in the output. If an unexpected interface name is found, you might need to either remove the "ifcfg-*" file or correct the configuration of the file to match the actual interface names on the host.
  2. If there is a "/etc/sysconfig/network-scripts/route-*" file that references IPs that cannot be reached, the error might be seen. There might also be references to unknown interface names in "route-*" files. It might be necessary to remove the "route-*" file completely, or remove entries that reference unreachable IPs or incorrect interface names.
  3. If any changes are made to the system's network configuration files to resolve the issue, restart the network service by running the following command from the host's CLI:
      
    systemctl restart network
    You can also consider running commands to manually restart the interface. For example, if you update the configuration for an interface called "ens192", use the following command syntax to load the new configuration and note any further errors in the resulting output:
      
    ifdown ens192 ; ifup ens192

RTNETLINK answers: No such device

  1. This error can be seen when network configuration files contain references to devices that are not found in the system. 
    Administrators can run the following commands on the CLI of the host to verify the names of the running network interfaces:
      
    ifconfig
    ip link show
    You can then check configuration files in "/etc/sysconfig/network-scripts/" to verify whether there's reference to interfaces that are not seen in the output of the commands. Editing or removal of references to unfound network interface names might be necessary.
  2. Check for any "/etc/sysconfig/network-scripts/route-*" files that include entries with a "src" IP that is not configured in the system. Remove or correct any such entries to match the existing IP in the local network configuration. 
  3. If the "/etc/sysconfig/network" file has the following fields, with inaccurate entries, the error might occur:
      
    GATEWAY=
GATEWAYDEV=
    The "GATEWAY" field specifies the default gateway. The "GATEWAYDEV" field specifies the QRadar management interface (For example: GATEWAYDEV=eno1). Admins can confirm the configured management interface by running the following command from the host CLI:
      
    cat /etc/management_interface
    You might not see the "GATEWAYDEV" parameter in all QRadar systems, though "GATEWAY" is a required parameter. Correct any inaccurate entries to resolve the issue.
  4. Check all "/etc/sysconfig/network-scripts/ifcfg-*" files that include the MAC address parameter of "HWADDR=" to confirm the actual running interface's MAC address matches. Run the CLI commands from step 1 to verify the MAC addresses associated with any interface that has a corresponding "/etc/sysconfig/network-scripts/ifcfg-*" file. If there is a mismatch, you can update the "ifcfg-*" file's "HWADDR=" parameter to match the actual running interface config.
  5. If any changes are made to the system's network configuration files to resolve the issue, restart the network service by running the following command from the host's CLI:
      
    systemctl restart network
    You can also consider running commands to manually restart the interface. For example, you update the configuration for an interface called "ens192", use the following command syntax to load the new configuration and note any further errors in the resulting output:
      
    ifdown ens192 ; ifup ens192

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":["Deployment"],"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS015169158","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
23 January 2024

UID

ibm17107835

Page Feedback