The following tips should help you when troubleshooting issues that might come up.

Key Mismatch issue

This occurs when there is a mismatch between the Private keys in Chronicle SOAR and the Remote agent. To solve this, make sure there is no difference between the key in Siemplify agent_db and the key in the agent resources.

Remote Connector fails

If the Remote Connector fails, first thing to do is check that an integrations instance is successfully installed in the agent.
Next, check the agent logs at error level to see if there are any logs indicating that anything failed in the process.
Test the same connector locally and see if there are errors.

Docker agent deployment fails

If the Docker deployment fails, follow these steps:

  1. Remove Docker container
     docker ps 
     docker rm <container_id> -f
  2. Remove images
     docker images 
     docker rmi <image_id>
  3. Remove volumes
    docker volume ls, docker volume rm <volume_name>
  4. Deploy again according to the instructions listed in Create Agent with Docker.

Agent is stuck in ‘waiting for agent’ status although the agent container was deployed successfully.

  1. Check that the server host of the agent has internet connectivity (example; ‘curl www.google.com’ / ‘ping 8.8.8.8’) – if the connection fails the issue is with internet connection
  2. If the first step passes, enter the container:
    docker exec -it <container_name/id> bash'
  3. Check the connectivity again as you did in step 1. If there is no connectivity, restart Docker service service docker restart from the Host machine and not the container)
  4. Start container again
    docker start <container_name/id>
  5. If the last step did not help, and refreshing the Remote agent page in Chronicle SOAR still shows the agent status as ‘waiting for agent’, log back in the container and pull the logs from /var/log/SiemplifyAgent/ and look for any errors.

Docker Image (IP4 forwarding is disabled)

  1. When trying to load a Chronicle SOAR Docker image (system) or agent and this appears in your CLI:
  2. Add this line
    net.ipv4.ip_forward=1 to /etc/sysctl.conf
    Note that you will need to use a file editor (like nano for example use: yum install nano -y
    systemctl restart network
    sudo systemctl restart docker
  3. Enter docker ps to check if the container is running. If it’s not running, enter docker ps -a to see all the containers including the stopped ones.
  4. To start it run docker start <container_ID>
  5. If the agent / system is not running yet:
    1. Stop the container docker stop <container_ID>
    2. Delete it docker rm <container_ID>
    3. Delete the image docker rmi <image_name>
    4. Next, load the image again.

Error after shutdown or reboot of Agent

To force start of Installer agent, enter the following command:
systemctl start supervisord

To force start of the Docker agent, enter the following command:
docker start <container_id>