Troubleshooting Common Communication Error
Click to view navigation pane

Home

Troubleshooting Common Communication Errors

If you do not utilize a proxy and the agent is to communicate to our platform directly via the internet (WinHTTP error code: 12180), you can try the following the steps below to validate successful communication to our platform from the impacted agent host: 

  1. Open a browser and navigate to your respective platform URL. As depicted by the attached image for US Platform 1 as an example, the arrows/boxes indicate that the connection is successful and secure.

    connection to Qualys platform

    If it is then it means that the browser is able to connect with Qualys Cloud Platform over port 443, correct certificate, TLS, and cipher support.

    If this is unsuccessful, then another application (browser) on impacted host is not able to connect. Please contact your network team as your assets must be able to reach your Qualys Cloud Platform (or the Qualys Private Cloud Platform) over HTTPS port 443.

    If this is successful but Agent is still unable to connect, perform Step 2. 

  2. Execute curl –vvv <platform URL> 

Example for IN Platform 1  

curl –v https://qagpublic.qg1.apps.qualys.in/status

Use the following if using proxy:

curl -x < proxy url:port> -v https://qagpublic.qg1.apps.qualys.in/status

Use the following with Cloud Agent header:

curl -i -v -H "User-Agent:QAgent" -x < proxy url:port> https://qagpublic.qg1.apps.qualys.in/status

This is useful for Patch Management troubleshooting to download patch using curl while passing cloud agent header.

If curl is not installed and cannot be installed, then following PowerShell command can be used, however, this will not provide output that shows DNS resolution/ SSL Handshake.

Invoke-WebRequest -Uri 'https://qagpublic.qg1.apps.qualys.in/status' -UseBasicParsing -DisableKeepAlive -Proxy <proxy url:port>

Successful CURL OutputSuccessful CURL Output 

[root@xxipxx_CentOS ~]# curl -i -v -H "User-Agent:QAgent" -x http://10.115.117.223:1080 [10.115.117.223] https://qagpublic.qg1.apps.qualys.in/status
‎*   Trying 10.115.117.223...
‎* TCP_NODELAY set
‎* Connected to 10.115.117.223 (10.115.117.223) port 1080 (#0)
‎* allocate connect buffer!
‎* Establish HTTP proxy tunnel to qagpublic.qg1.apps.qualys.in:443
‎> CONNECT qagpublic.qg1.apps.qualys.in:443 HTTP/1.1
‎> Host: qagpublic.qg1.apps.qualys.in:443
‎> User-Agent: curl/7.61.1
‎> Proxy-Connection: Keep-Alive
‎> 
‎< HTTP/1.1 200 Connection established
‎HTTP/1.1 200 Connection established
‎< 

‎* Proxy replied 200 to CONNECT request
‎* CONNECT phase completed!
‎* ALPN, offering h2
‎* ALPN, offering http/1.1
‎* successfully set certificate verify locations:
‎*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
‎  CApath: none
‎* TLSv1.3 (OUT), TLS handshake, Client hello (1):
‎* CONNECT phase completed!
‎* CONNECT phase completed!
‎* TLSv1.3 (IN), TLS handshake, Server hello (2):
‎* TLSv1.2 (IN), TLS handshake, Certificate (11):
‎* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
‎* TLSv1.2 (IN), TLS handshake, Server finished (14):
‎* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
‎* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
‎* TLSv1.2 (OUT), TLS handshake, Finished (20):
‎* TLSv1.2 (IN), TLS handshake, Finished (20):
‎* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
‎* ALPN, server accepted to use http/1.1
‎* Server certificate:
‎*  subject: C=US; ST=California; L=Foster City; O=Qualys, Inc.; CN=qagpublic.qg1.apps.qualys.in
‎*  start date: Dec 11 00:00:00 2023 GMT
‎*  expire date: Dec 10 23:59:59 2024 GMT
*  subjectAltName: host "qagpublic.qg1.apps.qualys.in" matched cert's "qagpublic.qg1.apps.qualys.in"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
> GET /status HTTP/1.1
> Host: qagpublic.qg1.apps.qualys.in
> Accept: */*
> User-Agent:QAgent

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Length: 13
Content-Length: 13
< Content-Type: text/html
Content-Type: text/html


* Connection #0 to host 10.115.117.223 left intact

Expected Result

The highlighted 200 response is expected. 

Troubleshooting Steps 

If a 200 response is not received, please check network connectivity/speed, firewalls, and any anti-virus / HIPS software for any activity that could disrupt the curl/agent service connection to the platform. 

‎If this is successful but the agent is still unable to connect then restriction in your environment is specifically for Qualys Cloud Agent. Take a PCAP capture or TCP Dump while restarting cloud agent service.

Capture Network Traffic

Wireshark/Network Monitor

  1. Download Wireshark from https://www.wireshark.org/download.html and Install.

  2. Enable Wireshark packet capture on the machine.

  3. Restart the Agent service and wait till the issue gets reproduced, that is,  verify that the Agent has generated the latest logs with the error code 12002/12152/12175, and so on.

  4. Once the latest error logs are generated, stop packet capture and save this capture.

    /

  5. Compare the capture with the working capture screenshots presented here. Check where the request for qagpublic.qg1.apps.qualys.com domain is failing/getting Reset/finished.

You can capture network traffic without installing any third-party tool on Windows assets.

Capture Network Trace

  1. Open an elevated command prompt and run the following command:

    "netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl"

    Ensure that you have a \temp directory or choose another location. Using persistent=yes will ensure that the packet tracing session resumes upon restarting the computer and continues to function until the “Netsh trace stop” command is issued. If unspecified, the default entry for persistent is no.

  2. Reproduce the issue by restarting the Cloud Agent service and wait till the issue gets reproduced, that is, verify that the agent has generated the latest logs with the error code 12002/12152/12175, and so on.

  3. Once the latest error logs are generated, open an elevated command prompt and run: "netsh trace stop"

Your trace will be stored in c:\temp\nettrace-boot.etl**or wherever you saved it.

Example of a successful connection between Cloud Agent and Qualys PlatformExample of a successful connection between Cloud Agent and Qualys Platform

DNS Search 

 DNS request and successful response 

 

Connection Attempt with Qagpublic  

Successful TCP and SSL Handshake. Application data exchange denotes successful communication and data exchange between Qualys Cloud Agent and Qualys Cloud Platform. 

A computer screen with text Description automatically generated 

You can verify the TLS version and Cipher Suite offered by asset in client hello. 

 

Negotiated TLS Version and Cipher Suite in Server Hello 

A computer screen with text and numbers Description automatically generated 

Certificate sent by server in Server Hello. Asset will verify if this certificate is present in its trusted storeA screenshot of a computer Description automatically generated 

Once the connection is validated to be successful if the agent is reporting a backoff multiplier, which is the amount of time (in seconds) the agent must wait for connection retry, please stop and restart the cloud agent service as this will refresh the multiplier and retry connection. 

Steps to Restart Cloud Agent for Windows Service

From a command prompt, execute the following commands as an administrator to stop and restart the Qualys Cloud Agent service on Windows OS: 

Steps to Restart Cloud Agent for Linux/Mac Service

Terminal Commands to restart Cloud Agent for UNIX service: