Troubleshoot AlgoSec SaaS HTTPS tunnel

This topic explains how to check tunnel connectivity, and to start, restart and stop the HTTPS tunnel (for troubleshooting purposes only).

Check tunnel connectivity if Chisel service is unresponsive

If Chisel service is unresponsive, check connectivity between ASMS and the AlgoSec SaaS Services.

Do the following:

  1. Run a cURL command based on your environment using the following Kafka host IPs or FQDNs for your host region:

    Kafka hosts

     

    NORTH AMERICA

    EMEA

    APAC (ANZ)

    Middle East (ME)
    IPs

    3.93.27.93

    3.89.34.12

    54.156.78.221

    3.126.155.34

    18.195.164.119

    18.158.179.49

    54.79.229.77

    52.63.122.113

    3.24.129.179

    16.24.56.160

    15.184.62.199

    15.184.119.117

    FQDNs kafka1.us.algocare.algosec.com kafka2.us.algocare.algosec.com kafka3.us.algocare.algosec.com kafka1.eu.algocare.algosec.com kafka2.eu.algocare.algosec.com kafka3.eu.algocare.algosec.com kafka1.anz.algocare.algosec.com kafka2.anz.algocare.algosec.com kafka3.anz.algocare.algosec.com

    kafka1.me.algocare.algosec.com
    kafka2.me.algocare.algosec.com
    kafka3.me.algocare.algosec.com

     

    Middle East (UAE)

    IND

       
    IPs

    3.28.175.107

    3.28.108.196

    51.112.85.53

    35.154.207.124

    3.7.173.136

    3.7.20.28

       
    FQDNs

    kafka1.uae.algocare.algosec.com
    kafka2.uae.algocare.algosec.com
    kafka3.uae.algocare.algosec.com

    kafka1.ind.algocare.algosec.com
    kafka2.ind.algocare.algosec.com
    kafka3.ind.algocare.algosec.com
       
    • No Proxy Server: If you are not using a proxy server, run the following cURL command on the ASMS machine terminal for each of the Kafka host IPs in your host region:

      Copy
      curl -v -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health
    • With Proxy Server: If you are using a proxy server, run the following cURL command on the ASMS machine terminal for each of the Kafka hosts IPs in your host region:

      Copy
      curl -pvx <proxy-server-ip>:<proxy-server-port> -U <proxy-server username>:<proxy-server password> -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health

    The cURL command checks that the tunnel can be established. A successful result returns:

     200 OK

    Any other result shows that there are routing rules in the customer environment that block the traffic.

    Note: If you cannot connect to the Kafka host via FQDN but you can using the host IP, check that you have a DNS server configured.

  2. If chisel still doesn't establish connectivity with AlgoSec SaaS Services:

    • No Proxy Server: Run a traffic recording on the ASMS machine to understand the problem.

    • With Proxy Server: Run a traffic recording on the ASMS machine and the proxy server to understand the problem.

To start/restart the HTTPS tunnel

We recommend you perform the following procedure on the Central Manager since changes to the HTTPS tunnel will be propagated, in any case, to all nodes. If required, you can also start and restart the tunnel on specific nodes.

Note: When the HTTPS tunnel is not running, the Start HTTPS tunnel option appears in the steps below. When it is already running, the Restart HTTPS tunnel option appears.

Do the following:

  1. In the algosec_conf main menu, enter 14 Product and cloud configuration.

  2. Enter 3 Cloud Integration.

  3. Enter 3 HTTPS tunnel Configuration.

  4. Enter 1 Start/Restart HTTPS tunnel.

  5. Confirm by entering y. The tunnel starts/restarts.