Troubleshoot Engine Connectivity - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-04-11
Category
Administrator Guide
Solution
Cloud
Abstract

Troubleshoot engine connectivity.

The following provides instructions for troubleshooting connectivity issues from the engine to the endpoint.

  1. Follow the instructions in network troubleshooting.

  2. Ensure that the engine can reach the endpoint by running the following command on the server engine.

    sudo curl -kvv <endpointURL>

  3. If the engine could not reach the endpoint, try the IP with curl instruction adding the http(s)//, or try using ping.

    If this works, add the IP to the /etc/hosts file with the hostname and try to reach the endpoint again by running the following command on the engine server

    sudo curl -kvv <endpointURL>

    If this still fails, then this is an issue of connectivity between the engine and endpoint and you need to resolve this with your networking team.

  4. Once connectivity has been confirmed via curl:

    • Try connecting within Docker without passing host networking.

      docker run -it --rm demisto/netutils:1.0.0.6138 curl -kvv <endpointURL>

      If this succeeds but the integration still fails, it could be an integration credentials issue. In that case, open a support case.

    • If without passing host networking fails, run the following:

      docker run -it --rm --network=host demisto/netutils:1.0.0.6138 curl -kvv <endpointURL>

      If this succeeds, add "python.pass.extra.keys": "--network=host" to /usr/local/demisto/d1.conf and retest the integration.

      If you see a Docker or Selinux issue, see Troubleshoot Docker Networking Issues.

  5. If the installation issue remains, open a support case with logs from the engine.

    1. On the engine server, in /usr/local/demisto/d1.conf, set "LogLevel": "debug”.

    2. Restart the d1 service and let it run for a few minutes.

      sudo systemctl restart d1

    3. Capture a journalctl:

      journalctl --since "1 day ago" > engineTroubleshootingJournalctl.log

    4. On the engine server, tar up the logs, conf, journalctl, and install log on the engine.

      tar -cvzf engineLogs.tar.gz /var/log/demisto /usr/local/demisto/d1.conf /tmp/demisto_install.log engineTroubleshootingJournalctl.log

Engine 443 Error

This error can occur when a connection is established between an engine and the Cortex XSOAR tenant, because, by default, Linux does not allow processes to listen on low-level ports.

Error Message

listen tcp :443: bind: permission denied

Solution

  • In the d1.conf file, change the port number to a higher one, for example, 8443.

  • Run this command: sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/binary. After running this command the server should be able to bind to low-numbered ports.

Bad Handshake Error

This error can occur in the engine logs relating to a bad handshake on the engine trying to connect to a Cortex XSOAR tenant.

Error Message

Cannot connect to [wss:/xxx]: [wss://xxx|wss://xxx/]: websocket: bad handshake

Solution

Verify that time is synchronized on the engine to a reliable NTP source. When timing is off on the engine, this can cause a failure during the SSL/TLS handshake process. When time is resynced, connectivity from the engine to the parent server should be restored.