Troubleshooting
The following tips should help you when troubleshooting issues that might come up.
Key Mismatch issue
This occurs when there is a mismatch between the Private keys in Chronicle SOAR and the Remote agent. To solve this, make sure there is no difference between the key in Siemplify agent_db and the key in the agent resources.
Remote Connector fails
If the Remote Connector fails, first thing to do is check that an integrations instance is successfully installed in the agent.
Next, check the agent logs at error level to see if there are any logs indicating that anything failed in the process.
Test the same connector locally and see if there are errors.
Docker agent deployment fails
If the Docker deployment fails, follow these steps:
- Remove Docker container
docker ps
docker rm <container_id> -f
- Remove images
docker images
docker rmi <image_id>
- Remove volumes
docker volume ls, docker volume rm <volume_name>
- Deploy again according to the instructions listed in Create Agent with Docker.
Agent is stuck in ‘waiting for agent’ status although the agent container was deployed successfully.
- Check that the server host of the agent has internet connectivity (example; ‘curl www.google.com’ / ‘ping 8.8.8.8’) – if the connection fails the issue is with internet connection
- If the first step passes, enter the container:
docker exec -it <container_name/id> bash'
- Check the connectivity again as you did in step 1. If there is no connectivity, restart Docker service
service docker restart
from the Host machine and not the container) - Start container again
docker start <container_name/id>
- If the last step did not help, and refreshing the Remote agent page in Chronicle SOAR still shows the agent status as ‘waiting for agent’, log back in the container and pull the logs from /var/log/SiemplifyAgent/ and look for any errors.
Docker Image (IP4 forwarding is disabled)
- When trying to load a Chronicle SOAR Docker image (system) or agent and this appears in your CLI:
- Add this line
net.ipv4.ip_forward=1 to /etc/sysctl.conf
Note that you will need to use a file editor (like nano for example use:yum install nano -y
systemctl restart network
sudo systemctl restart docker
- Enter
docker ps
to check if the container is running. If it’s not running, enterdocker ps -a
to see all the containers including the stopped ones. - To start it run
docker start <container_ID>
- If the agent / system is not running yet:
- Stop the container
docker stop <container_ID>
- Delete it
docker rm <container_ID>
- Delete the image
docker rmi <image_name>
- Next, load the image again.
- Stop the container
Error after shutdown or reboot of Agent
To force start of Installer agent, enter the following command:systemctl start supervisord
To force start of the Docker agent, enter the following command:docker start <container_id>