Troubleshoot AlgoSec SaaS HTTPS tunnel
This topic explains how to check tunnel connectivity, and to start, restart and stop the HTTPS tunnel (for troubleshooting purposes only).
Check tunnel connectivity if Chisel service is unresponsive
If Chisel service is unresponsive, check connectivity between ASMS and the AlgoSec SaaS Services.
Do the following:
-
Run a cURL command based on your environment using the following Kafka host IPs or FQDNs for your host region:
Kafka hosts
NORTH AMERICA
EMEA
APAC (ANZ)
Middle East (ME) IPs 3.93.27.93
3.89.34.12
54.156.78.221
3.126.155.34
18.195.164.119
18.158.179.49
54.79.229.77
52.63.122.113
3.24.129.179
16.24.56.160
15.184.62.199
15.184.119.117
FQDNs kafka1.us.algocare.algosec.com kafka2.us.algocare.algosec.com kafka3.us.algocare.algosec.com kafka1.eu.algocare.algosec.com kafka2.eu.algocare.algosec.com kafka3.eu.algocare.algosec.com kafka1.anz.algocare.algosec.com kafka2.anz.algocare.algosec.com kafka3.anz.algocare.algosec.com kafka1.me.algocare.algosec.com
kafka2.me.algocare.algosec.com
kafka3.me.algocare.algosec.comMiddle East (UAE)
IND
IPs 3.28.175.107
3.28.108.196
51.112.85.53
35.154.207.124
3.7.173.136
3.7.20.28
FQDNs kafka1.uae.algocare.algosec.com
kafka2.uae.algocare.algosec.com
kafka3.uae.algocare.algosec.comkafka1.ind.algocare.algosec.com
kafka2.ind.algocare.algosec.com
kafka3.ind.algocare.algosec.com-
No Proxy Server: If you are not using a proxy server, run the following cURL command on the ASMS machine terminal for each of the Kafka host IPs in your host region:
Copycurl -v -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health
-
With Proxy Server: If you are using a proxy server, run the following cURL command on the ASMS machine terminal for each of the Kafka hosts IPs in your host region:
Copycurl -pvx <proxy-server-ip>:<proxy-server-port> -U <proxy-server username>:<proxy-server password> -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health
The cURL command checks that the tunnel can be established. A successful result returns:
200 OK
Any other result shows that there are routing rules in the customer environment that block the traffic.
Note: If you cannot connect to the Kafka host via FQDN but you can using the host IP, check that you have a DNS server configured.
-
-
If chisel still doesn't establish connectivity with AlgoSec SaaS Services:
-
No Proxy Server: Run a traffic recording on the ASMS machine to understand the problem.
-
With Proxy Server: Run a traffic recording on the ASMS machine and the proxy server to understand the problem.
-
To start/restart the HTTPS tunnel
We recommend you perform the following procedure on the Central Manager since changes to the HTTPS tunnel will be propagated, in any case, to all nodes. If required, you can also start and restart the tunnel on specific nodes.
Note: When the HTTPS tunnel is not running, the Start HTTPS tunnel option appears in the steps below. When it is already running, the Restart HTTPS tunnel option appears.
Do the following:
-
In the algosec_conf main menu, enter 14 Product and cloud configuration.
-
Enter 3 Cloud Integration.
-
Enter 3 HTTPS tunnel Configuration.
-
Enter 1 Start/Restart HTTPS tunnel.
-
Confirm by entering y. The tunnel starts/restarts.