Troubleshooting
Problem
In some scenarios, the qchange_netsetup utility can fail to update network configuration changes due to "RTNETLINK" errors.
Symptom
Admins might see one of these errors when changes are committed in the network setup screen.
Cause
Typically the RTNETLINK errors are the result of static routes, unexpected devices, or any other missing or invalid parameters in the network configuration. Since the errors are a symptom of a configuration issue, the cause might be different depending on the environment. The intent of this article is to provide administrators with common areas to check in the configuration where issues might be found that are causing the RTNETLINK errors.
Resolving The Problem
Warning: Before you take any action to resolve network issues on a QRadar host, it is highly encouraged to work on the system by using out of band access. Some examples of out of band access are:
- Connecting a monitor and keyboard to the physical server
- Accessing the host from an iLO/IMM/XCC module to use the remote console feature
- If the host is a virtual machine, use the hypervisor's VM management system to open a console session
Avoid access through ssh when you make changes to the local network settings, and when you restart network services. If any changes to the configuration are invalid, causing failure of the network and sshd services, admins then have no access to the host until an out of band method is attained.
RTNETLINK answers: File exists
- If there is any "ifcfg-*" file in the "/etc/sysconfig/network-scripts/" directory that references a network interface that does not exist in the system, you might see the "File exists" error. Administrators can run the following commands on the CLI of the host to verify the names of the configured network interfaces:
ifconfig
ip link show
-
If there is a "/etc/sysconfig/network-scripts/route-*" file that references IPs that cannot be reached, the error might be seen. There might also be references to unknown interface names in "route-*" files. It might be necessary to remove the "route-*" file completely, or remove entries that reference unreachable IPs or incorrect interface names.
-
If any changes are made to the system's network configuration files to resolve the issue, restart the network service by running the following command from the host's CLI:
systemctl restart network
You can also consider running commands to manually restart the interface. For example, if you update the configuration for an interface called "ens192", use the following command syntax to load the new configuration and note any further errors in the resulting output:
ifdown ens192 ; ifup ens192
RTNETLINK answers: No such device
- This error can be seen when network configuration files contain references to devices that are not found in the system.
Administrators can run the following commands on the CLI of the host to verify the names of the running network interfaces:
ifconfig
ip link show
You can then check configuration files in "/etc/sysconfig/network-scripts/" to verify whether there's reference to interfaces that are not seen in the output of the commands. Editing or removal of references to unfound network interface names might be necessary. - Check for any "/etc/sysconfig/network-scripts/route-*" files that include entries with a "src" IP that is not configured in the system. Remove or correct any such entries to match the existing IP in the local network configuration.
-
If the "/etc/sysconfig/network" file has the following fields, with inaccurate entries, the error might occur:
GATEWAY= GATEWAYDEV=
The "GATEWAY" field specifies the default gateway. The "GATEWAYDEV" field specifies the QRadar management interface (For example: GATEWAYDEV=eno1). Admins can confirm the configured management interface by running the following command from the host CLI:
cat /etc/management_interface
- Check all "/etc/sysconfig/network-scripts/ifcfg-*" files that include the MAC address parameter of "HWADDR=" to confirm the actual running interface's MAC address matches. Run the CLI commands from step 1 to verify the MAC addresses associated with any interface that has a corresponding "/etc/sysconfig/network-scripts/ifcfg-*" file. If there is a mismatch, you can update the "ifcfg-*" file's "HWADDR=" parameter to match the actual running interface config.
-
If any changes are made to the system's network configuration files to resolve the issue, restart the network service by running the following command from the host's CLI:
systemctl restart network
You can also consider running commands to manually restart the interface. For example, you update the configuration for an interface called "ens192", use the following command syntax to load the new configuration and note any further errors in the resulting output:
ifdown ens192 ; ifup ens192
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":["Deployment"],"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS015169158","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
23 January 2024
UID
ibm17107835