Troubleshooting
Problem
The QRadar console establishes a connection directly to SOAR, QRadar Suite and Cloud Pak for Security servers so it can send JMS messages for the plug-in with the details of offenses that are created, updated and closed. It is this connection that can continue using the expired SOAR API key secret causing the IP address of the console to be banned so it cannot connect.
When a SOAR API key expires the steps outlined in How do you change the API Key Secret in the SOAR Qradar Integration application due to an IP Ban is normally enough to allow the plug-in to connect again. If the IP address of the QRadar console is being banned because the old SOAR API key secret is still being used this document explains what can be done to resolve that.
Symptom
The SOAR or CP4S logs will show API calls from the QRadar consoles being received.
11:15:33.206 [https-jsse-nio2-443-exec-17] ERROR [] c.co3.authentication.UserAuthentication - Failed login attempt for user: <SOAR_API_KEY>, IP address <QRADAR CONSOLE IP> is banned
It is likely that you are not able to save the plug-in configuration in line with How do you change the API Key Secret in the SOAR Qradar Integration application due to an IP Ban because the SOAR API key keeps locking.
If the plug-in is installed on the QRadar console you will continue to see the IP ban message in the logs even though you have renamed the app.config as documented in How do you change the API Key Secret in the SOAR Qradar Integration application due to an IP Ban, this might be because it is the JMS connection and not the plug-in that is using the old secret.
Cause
The SOAR API secret used for the JMS connection from the console to the inbound destination is wrong or has expired.
Diagnosing The Problem
If the IP ban message persists after renaming the app.config then stop the plug-in using qappmanager or the self serve application in the QRadar console interface.
If the IP ban message do not stop then this identifies the JMS connection as being at fault.
These SQL queries represent the data the plug-in will save to the QRadar database via API calls.
psql -U qradar -c "select * from config_resilient;"
id | ip | port | api_key_id | api_key_secret | tls | proxy_ip | proxy_port | proxy_user | proxy_password
| description | enabled | generation_time | last_enabled_time | last_updated_time
----+-------------+-------+------------------------------------------------------------------------------------------------------+--------------------
2 | <INBOUND DEST IP> | 65000 | AQAAAAAAREMOVEDXrO/YaSpyfTQ== | AQAAAAAAAAA4REMOVEDFvl2KN/y333U//BvAJ2s= | t | | 0 | |
| Connection to SOAR at '<INBOUND DEST IP>' | t | 1729265220458 | 1729265220458 | 1729265220458
psql -U qradar -c "select * from resilient_configuration;"
id | enable_connections | protocol_name | generation_time | last_updated_time
----+--------------------+---------------+-----------------+-------------------
1 | t | OPENWIRE | 1729265220171 | 1729265220171
psql -U qradar -c "select * from resilient_destination;"
id | organization_id | queue_name | connection_id | tenant_id | generation_time | last_updated_time
----+-----------------+-------------------------------------------------------+---------------+-----------+-----------------+-------------------
0 | 201 | inbound_destinations.201.<QRADAR DESTINATION NAME> | 3 | 0 | 1738323917659 | 1738323917659
It is impossible to decode the api_key_secret but it will be using the wrong secret.
Resolving The Problem
Removing all the entries from the QRadar database will stop the console from trying to connect to the inbound destination.
psql -U qradar -c "delete from config_resilient where id=2;"
psql -U qradar -c "delete from resilient_configuration where id=1;"
psql -U qradar -c "delete from resilient_destination where id=0;"
The "id" values might be different and you might have more than one row in the resilient_destination table.
Once all rows used by the plug-in have been deleted, restart ecs-ep on the QRadar server by running, systemctl restart ecs-ep.
Resume the instructions in How do you change the API Key Secret in the SOAR Qradar Integration application due to an IP Ban which includes regenerating the SOAR API secret. Once you save the plug-in configuration these three tables will be populated again. The api_key_secret will be different.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSL2BV","label":"IBM Security QRadar Suite - SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"44.0.0;51.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m3p000000F8yvAAC","label":"Cloud Pak for Security (CP4S)"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.1.0;1.10.0;1.11.0;1.2.0;1.3.0;1.4.0;1.5.0;1.6.0;1.7.0;1.7.1;1.7.2;1.8.0;1.9.0"}]
Was this topic helpful?
Document Information
Modified date:
08 July 2025
UID
ibm17238942