Troubleshooting
Problem
Symptom
The System and License Management tabs show a managed host with status UNKNOWN.
The following image illustrates a managed host with status Unknown in system and license management tab:
Cause
Diagnosing The Problem
- Use SSH to log in to the QRadar Console as the root user.
-
Verify whether the console is able to SSH into the managed host with UNKNOWN status:
ssh <managed host ip>
Result
If you get a response similar to the following, you have confirmed the issue with the communication is because of a mismatch in the SSH ciphers:Unable to negotiate with X.X.X.X port 22: no matching cipher found. Their offer: 3des-cbc
Resolving The Problem
- Use SSH to log in to the QRadar Console as the root user.
-
Note the console ciphers from the SSH configuration:
grep '^Ciphers' /etc/ssh/sshd_config
Output example:Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-
Connect to the managed host by using an out-of-band management approach. For example, IMM, XCC WebUI, or equivalent (KVM, iDRAC).
Note: Integrated Management Module (IMM) is present only on QRadar® M3, M4, and M5 appliances. QRadar® M6 appliances use XClarity Controller (XCC) instead. -
Verify whether the ciphers of the managed host are different than those on the console:
grep '^Ciphers' /etc/ssh/sshd_config
In the following example, the cipher is 3des-cbc, which was not listed on the console.
Ciphers 3des-cbc
-
Back up the SSH configuration of the managed host:
cp /etc/ssh/sshd_config /root/sshd_config.backup
-
Configure the right ciphers in the managed host:
ciphers="<The ciphers of the console>" sed -i "s/^Ciphers.*/$(echo $ciphers)/g" /etc/ssh/sshd_config;ciphers=""
Example:ciphers="Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" sed -i "s/^Ciphers.*/$(echo $ciphers)/g" /etc/ssh/sshd_config;ciphers=""
-
Restart the SSH service in the managed host.
systemctl restart sshd
Administrator configured the correct ciphers in the managed host and is now able to SSH from the console to the managed host. For more information about SSH, see QRadar: About Secure Shell (SSH).
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
31 May 2023
UID
ibm11033252