QRadar: Checking SSH connectivity to ensure a connection can be formed

Troubleshooting

Problem

When there are network issues creating SSH connections between the Console and the Managed Host, there are messages that indicate issues with the network, NICs, firewall configurations or hosts that are down within the network. This article gives an overview of these issues.

Symptom

Trying to establish an SSH connection from the Console to a Managed Host fails with a similar error:

[root@Console-1 ~]# ssh 192.0.2.11 22

ssh: connect to host 192.0.2.11 port 22: No route to host

ssh: connect to host 192.0.2.11 port 22: Connection timed out.

ssh: connect to host 192.0.2.11 port 22: Connection refused

Cause

There are several potential issues why the SSH session could not establish:

firewall blocking port 22 to host
host is not up and running
host is up but there are NIC issues (IP address misconfiguration, NIC down, etc)
host cannot be reached due to network configuration issues (e.g. routing)
host is up but SSH service is not running
host is up, SSH is running but SSH negotiation fails

Diagnosing The Problem

The following examples show what an Administrator would see when attempting to SSH or telnet to a remote host. Using SSH or telnet are good methods of validating that a tunneled connection is working as expected.

First successful SSH connection
In this example, you can see what a successful SSH connection would look like on your first attempt. You can see that you are prompted to accept the RSA key on the first connection.

[root@Console-1]# ssh 192.0.2.11 The authenticity of host '192.0.2.11 (192.0.2.11)' can't be established. RSA key fingerprint is bd:36:16:a8:00:2a:c9:56:6d:e2:26:eb:8d:66:3f:d5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.0.2.11' (RSA) to the list of known hosts. This server was upgraded to QRadar 7.2.6.20151107134559 on Thu Apr 14 21:42:58 EDT 2016.
SSH banner when network is not blocked
[root@Console-1 ~]# telnet 192.0.2.11 22 Trying 192.0.2.11... Connected to 192.0.2.11. Escape character is '^]'.SSH-2.0-OpenSSH_5.3

Any other result, points to a failure of an SSH connection.

Resolving The Problem

The following error messages when attempting to create SSH connections are examples of network issues, NIC configuration problems, firewall configuration issues, or hosts that are down within the network. Explanations are offered under each symptom in order to help resolve the issue.

SSH is not responding or packets dropped by network devices (firewalls): "Connection timed out"

[root@QRadar-3100 ~]# telnet Qradar726-1201 22 Trying 192.168.0.77... telnet: connect to address 192.168.0.77: Connection timed out.

Explanation
Possible symptom is problems with a NIC interface, switch port, or LAN cables. Check with your Administrator to verify these are working properly.

SSH connection refused or being actively blocked by a firewall: "Connection refused"

[root@QRadar-3100 ~]# telnet Qradar726-1201 22 Trying 192.168.0.77... telnet: connect to address 192.168.0.77: Connection refused.

Explanation
Possible symptom is firewall is blocking port 22. Check with your firewall Administrator to verify port 22 is open.

SSH issue due to host down, network issue, etc: "No route to host" or "Host not available"

[root@QRadar-3100 ~]# telnet Qradar726-1201 22| Trying 192.168.0.77... telnet: connect to address 192.168.0.77: No route to host

Explanation
Possible symptom the host is down. Verify with the Data Center admin that the host is online.

For advanced SSH troubleshooting, see technical document QRadar: Enable Debugging Mode in SSH to Troubleshoot Connectivity Issues

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Deploy","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips