Troubleshooting Common Communication Errors
If you do not utilize a proxy and the agent is to communicate to our platform directly via the internet (WinHTTP error code: 12180), you can try the following the steps below to validate successful communication to our platform from the impacted agent host:
-
Open a browser and navigate to your respective platform URL. As depicted by the attached image for US Platform 1 as an example, the arrows/boxes indicate that the connection is successful and secure.
If it is then it means that the browser is able to connect with Qualys Cloud Platform over port 443, correct certificate, TLS, and cipher support.
If this is unsuccessful, then another application (browser) on impacted host is not able to connect. Please contact your network team as your assets must be able to reach your Qualys Cloud Platform (or the Qualys Private Cloud Platform) over HTTPS port 443.
If this is successful but Agent is still unable to connect, perform Step 2.
-
Execute
curl –vvv <platform URL>
Example for IN Platform 1
curl –v https://qagpublic.qg1.apps.qualys.in/status
Use the following if using proxy:
curl -x < proxy url:port> -v https://qagpublic.qg1.apps.qualys.in/status
Use the following with Cloud Agent header:
curl -i -v -H "User-Agent:QAgent" -x < proxy url:port> https://qagpublic.qg1.apps.qualys.in/status
This is useful for Patch Management troubleshooting to download patch using curl while passing Cloud Agent header.
If curl is not installed and cannot be installed, then following PowerShell command can be used, however, this will not provide output that shows DNS resolution/ SSL Handshake.
Successful CURL OutputSuccessful CURL Output
[root@xxipxx_CentOS ~]# curl -i -v -H "User-Agent:QAgent" -x http://10.115.117.223:1080 [10.115.117.223] https://qagpublic.qg1.apps.qualys.in/status
* Trying 10.115.117.223...
* TCP_NODELAY set
* Connected to 10.115.117.223 (10.115.117.223) port 1080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to qagpublic.qg1.apps.qualys.in:443
> CONNECT qagpublic.qg1.apps.qualys.in:443 HTTP/1.1
> Host: qagpublic.qg1.apps.qualys.in:443
> User-Agent: curl/7.61.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=Foster City; O=Qualys, Inc.; CN=qagpublic.qg1.apps.qualys.in
* start date: Dec 11 00:00:00 2023 GMT
* expire date: Dec 10 23:59:59 2024 GMT
* subjectAltName: host "qagpublic.qg1.apps.qualys.in" matched cert's "qagpublic.qg1.apps.qualys.in"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
* SSL certificate verify ok.
> GET /status HTTP/1.1
> Host: qagpublic.qg1.apps.qualys.in
> Accept: */*
> User-Agent:QAgent
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Length: 13
Content-Length: 13
< Content-Type: text/html
Content-Type: text/html
<
* Connection #0 to host 10.115.117.223 left intact
Expected Result
The highlighted 200 response is expected.
Troubleshooting Steps
If a 200 response is not received, please check network connectivity/speed, firewalls, and any anti-virus / HIPS software for any activity that could disrupt the curl/agent service connection to the platform.
If this is successful but the agent is still unable to connect then restriction in your environment is specifically for Qualys Cloud Agent. Take a PCAP capture or TCP Dump while restarting cloud agent service.
Capture Network Traffic
Wireshark/Network Monitor
-
Download Wireshark from https://www.wireshark.org/download.html and Install.
-
Enable Wireshark packet capture on the machine.
-
Restart the Agent service and wait till the issue gets reproduced, that is, verify that the Agent has generated the latest logs with the error code 12002/12152/12175, and so on.
-
Once the latest error logs are generated, stop packet capture and save this capture.
/ -
Compare the capture with the working capture screenshots presented here. Check where the request for qagpublic.qg1.apps.qualys.com domain is failing/getting Reset/finished.
You can capture network traffic without installing any third-party tool on Windows assets.
Capture Network Trace
-
Open an elevated command prompt and run the following command:
"netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl"Ensure that you have a
\tempdirectory or choose another location. Using persistent=yes will ensure that the packet tracing session resumes upon restarting the computer and continues to function until the“Netsh trace stop”command is issued. If unspecified, the default entry for persistent is no. -
Reproduce the issue by restarting the Cloud Agent service and wait till the issue gets reproduced, that is, verify that the agent has generated the latest logs with the error code 12002/12152/12175, and so on.
-
Once the latest error logs are generated, open an elevated command prompt and run:
"netsh trace stop"
Your trace will be stored in c:\temp\nettrace-boot.etl**or wherever you saved it.
Example of a successful connection between Cloud Agent and Qualys PlatformExample of a successful connection between Cloud Agent and Qualys Platform
DNS Search
DNS request and successful response
Connection Attempt with Qagpublic 
Successful TCP and SSL Handshake. Application data exchange denotes successful communication and data exchange between Qualys Cloud Agent and Qualys Cloud Platform.
You can verify the TLS version and Cipher Suite offered by asset in client hello.
Negotiated TLS Version and Cipher Suite in Server Hello
Certificate sent by server in Server Hello. Asset will verify if this certificate is present in its trusted store
Once the connection is validated to be successful if the agent is reporting a backoff multiplier, which is the amount of time (in seconds) the agent must wait for connection retry, please stop and restart the Cloud Agent service as this will refresh the multiplier and retry connection.
Steps to Restart Cloud Agent for Windows Service
From a command prompt, execute the following commands as an administrator to stop and restart the Qualys Cloud Agent service on Windows OS:
-
sc stop qualysagent
-
sc start qualysagent
Steps to Restart Cloud Agent for Linux/Mac Service
Terminal Commands to restart Cloud Agent for UNIX service:
-
sudo systemctl stop qualys-cloud-agent
-
sudo systemctl start qualys-cloud-agent