IBM Support

QRadar: Applications fail to load with error "404 page not found' due to lack of connectivity

Troubleshooting


Problem

A QRadar App Host is a managed host that is dedicated to running apps. As any other managed host in the deployment, QRadar App Hosts require connectivity to the required services and ports running on the Console.
When a connection to a required port is needed by an application, and the connection fails, it can affect the application load.

Symptom

The administrator can verify whether an app is not working in the user interface (showing 404 page not found).
Figure01

Cause

Certain applications require connection to service port such as ariel queries (port 32006). When the App Host is not encrypted, it requires the firewall to allow all the required ports needed by all the applications. If a required connection is not allowed in the firewall, the application traffic never connects to wanted service port.

Environment

QRadar deployments with App Host.

Diagnosing The Problem

To identify this issue, administrators can check the /var/log/qradar.log and search for "Connection aborted" error message.

  1. Log in to the QRadar Console as the root user.
  2. Run the grep command and search for the error message in /var/log/qradar.log.
    grep 'Connection Aborted' /var/log/qradar.log
    Output Example
    [APP_ID/1203][INFO] Error in getting Ariel Port:('Connection aborted.', error(111, 'Connection refused'))
Alternatively, administrators can check whether the App Host connection is encrypted in the user interface.
  1. Log in to the QRadar Console user interface as an administrator user.
  2. Click the Admin tab.
  3. Click the System and license Management.
  4. On the System and license Management window, select the App Host and then click Deployment actions.
  5. Verify the App Host has the "Encryption Host Connections" checkbox not selected.

    Figure02

Resolving The Problem

To resolve this issue, administrators can encrypt the App Host so that the connections are tunneled by using SSH.
  1. Log in to the QRadar Console user interface as the administrator user.
  2. Click the Admin tab.
  3. Click the System and license Management.

    Image1
  4. On the System and license Management window, select the App Host and then click Deployment Actions.

    Figure02
     
  5. Click Edit Host and select Encrypt Host Connections checkbox.

    save
  6. Click Save.
  7. Click the Admin tab and deploy the configuration changes.
  8. Clear the browser cache.
    Note: Refer to the browser product documentation for the procedure.


    Results
    The applications now load successfully. If the applications still don't load after the steps in this technote are run, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
01 July 2022

UID

ibm16596143