IBM Support

QRadar: Checking SSH connectivity to ensure a connection can be formed



When there are network issues creating SSH connections between the Console and the Managed Host, there are messages that indicate issues with the network, NICs, firewall configurations or hosts that are down within the network. This article gives an overview of these issues. 


Trying to establish an SSH connection from the Console to a Managed Host fails with a similar error:

[root@Console-1 ~]# ssh 22
ssh: connect to host port 22: No route to host
ssh: connect to host port 22: Connection timed out.
ssh: connect to host port 22: Connection refused


There are several potential issues why the SSH session could not establish:

  • firewall blocking port 22 to host
  • host is not up and running
  • host is up but there are NIC issues (IP address misconfiguration, NIC down, etc)
  • host cannot be reached due to network configuration issues (e.g. routing)
  • host is up but SSH service is not running
  • host is up, SSH is running but SSH negotiation fails

Diagnosing The Problem

The following examples show what an Administrator would see when attempting to SSH or telnet to a remote host. Using SSH or telnet are good methods of validating that a tunneled connection is working as expected.

  1. First successful SSH connection
    In this example, you can see what a successful SSH connection would look like on your first attempt. You can see that you are prompted to accept the RSA key on the first connection.

    [root@Console-1]# ssh
    The authenticity of host ' (' can't be established.
    RSA key fingerprint is bd:36:16:a8:00:2a:c9:56:6d:e2:26:eb:8d:66:3f:d5.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '' (RSA) to the list of known hosts.
    This server was upgraded to QRadar on Thu Apr 14 21:42:58 EDT 2016.

  2. SSH banner when network is not blocked
    [root@Console-1 ~]# telnet 22
    Connected to
    Escape character is '^]'.SSH-2.0-OpenSSH_5.3
Any other result, points to a failure of an SSH connection. 

Resolving The Problem

The following error messages when attempting to create SSH connections are examples of network issues, NIC configuration problems, firewall configuration issues, or hosts that are down within the network. Explanations are offered under each symptom in order to help resolve the issue. 

SSH is not responding or packets dropped by network devices (firewalls): "Connection timed out"

[root@QRadar-3100 ~]# telnet Qradar726-1201 22
telnet: connect to address Connection timed out.

Possible symptom is problems with a NIC interface, switch port, or LAN cables. Check with your Administrator to verify these are working properly.

SSH connection refused or being actively blocked by a firewall: "Connection refused"

[root@QRadar-3100 ~]# telnet Qradar726-1201 22
telnet: connect to address Connection refused.

Possible symptom is firewall is blocking port 22. Check with your firewall Administrator to verify port 22 is open.


SSH issue due to host down, network issue, etc: "No route to host" or "Host not available"

[root@QRadar-3100 ~]# telnet Qradar726-1201 22|
telnet: connect to address No route to host

Possible symptom the host is down. Verify with the Data Center admin that the host is online.


For advanced SSH troubleshooting, see technical document QRadar: Enable Debugging Mode in SSH to Troubleshoot Connectivity Issues

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Deploy","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
08 January 2021