Troubleshoot AlgoSec SaaS HTTPS tunnel

This topic explains how to check tunnel connectivity, and to start, restart and stop the HTTPS tunnel for troubleshooting purposes only.

Check tunnel connectivity if Chisel service is unresponsive

If Chisel service is unresponsive, check connectivity between ASMS and the AlgoSec SaaS Services.

Do the following:

  1. Run a cURL command based on your environment using the following Kafka host IPs or FQDNs for your host region:

    Kafka hosts

     

    NORTH AMERICA

    EMEA

    APAC (ANZ)

    		 Middle East (ME)
    IPs

    3.93.27.93

    3.89.34.12

    54.156.78.221

    3.126.155.34

    18.195.164.119

    18.158.179.49

    54.79.229.77

    52.63.122.113

    3.24.129.179

    16.24.56.160

    15.184.62.199

    15.184.119.117
    FQDNs kafka1.us.algocare.algosec.com kafka2.us.algocare.algosec.com kafka3.us.algocare.algosec.com kafka1.eu.algocare.algosec.com kafka2.eu.algocare.algosec.com kafka3.eu.algocare.algosec.com kafka1.anz.algocare.algosec.com kafka2.anz.algocare.algosec.com kafka3.anz.algocare.algosec.com

    kafka1.me.algocare.algosec.com
    kafka2.me.algocare.algosec.com
    kafka3.me.algocare.algosec.com
     

    Middle East (UAE)

    IND

    		    
    IPs

    3.28.175.107

    3.28.108.196

    51.112.85.53

    35.154.207.124

    3.7.173.136

    3.7.20.28

    		    
    FQDNs

    kafka1.uae.algocare.algosec.com
    kafka2.uae.algocare.algosec.com
    kafka3.uae.algocare.algosec.com

    		kafka1.ind.algocare.algosec.com
    kafka2.ind.algocare.algosec.com
    kafka3.ind.algocare.algosec.com     		   

    • No Proxy Server: If you are not using a proxy server, run the following cURL command on the ASMS machine terminal for each of the Kafka host IPs in your host region:

      Copy 
      curl -v -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health

    • With Proxy Server: If you are using a proxy server, run the following cURL command on the ASMS machine terminal for each of the Kafka hosts IPs in your host region:

      Copy 
      curl -pvx <proxy-server-ip>:<proxy-server-port> -U <proxy-server username>:<proxy-server password> -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health

    The cURL command checks that the tunnel can be established. A successful result returns:

     200 OK

    Any other result shows that there are routing rules in the customer environment that block the traffic.

    Note: If you cannot connect to the Kafka host via FQDN but you can using the host IP, check that you have a DNS server configured.

  2. If chisel still doesn't establish connectivity with AlgoSec SaaS Services:

    • No Proxy Server: Run a traffic recording on the ASMS machine to understand the problem.

    • With Proxy Server: Run a traffic recording on the ASMS machine and the proxy server to understand the problem.

About the HTTPS tunnel

When you integrate AlgoSec SaaS solutions ObjectFlow, AppViz (SaaS), and AlgoCare with ASMS in A32.20, the HTTPS tunnel automatically starts to route traffic from ASMS to AlgoSec SaaS. The tunnel encapsulates traffic and encrypts it with the Public Key certificate mechanism.

Note: The HTTPS tunnel can run with or without a customer proxy server. If you have configured a proxy server in ASMS (see Define a proxy server) the HTTPS tunnel automatically routes traffic through it.

If you are using a proxy server, the Proxy Content Inspection should be disabled to avoid redundant encryption and resulting degradation of the connection.

The following diagram illustrates the HTTPS tunnel architecture:

To start/restart the HTTPS tunnel

We recommend you perform the following procedure on the Central Manager since changes to the HTTPS tunnel will be propagated, in any case, to all nodes. If required, you can also start and restart the tunnel on specific nodes.

Note: When the HTTPS tunnel is not running, the Start HTTPS tunnel option appears in the steps below. When it is already running, the Restart HTTPS tunnel option appears.

Do the following:

  1. In the algosec_conf main menu, enter 14 Product and cloud configuration.

  2. Enter 3 Cloud Integration.

  3. Enter 3 HTTPS tunnel Configuration.

  4. Enter 1 Start/Restart HTTPS tunnel.

  5. Confirm by entering y. The tunnel starts/restarts.

To remove the HTTPS tunnel

If you do choose to remove the tunnel, ASMS-AlgoSec SaaS secure communication takes place over TLS, using port TCP/9094.

Note: When ASMS-AlgoSec SaaS secure communication takes place over TLS, using port TCP/9094, make sure that your connectivity between ASMS and the relevant Kafka host is open.

Do the following:

  1. In the algosec_conf main menu, enter 14 Product and cloud configuration.

  2. Enter 3 Cloud Integration.

  3. Enter 3 HTTPS tunnel Configuration.

  4. Enter 2 Remove HTTPS tunnel.

  5. Confirm by entering y. The tunnel is removed.