Troubleshoot AlgoSec SaaS HTTPS tunnel

This topic explains how to check tunnel connectivity, and to start, restart and stop the HTTPS tunnel (for troubleshooting purposes only).

Check tunnel connectivity if Chisel service is unresponsive

If Chisel service is unresponsive, check connectivity between ASMS and the AlgoSec SaaS Services.

There are two possible reasons for Chisel service unresponsiveness:

  • Outbound connectivity to AlgoSec SaaS over port 8082 is not open (routing, firewall, or proxy restrictions).

  • The traffic is detected as malware by a security device (for example, IPS/IDS, proxy, or security gateway).

To identify the root cause, perform the checks below in the specified order.

Do the following:

Step 1: Check tunnel connectivity including malware detection (recommended first)

This test validates:

  • Connectivity over port 8082

  • That the traffic is not blocked due to malware detection

Run a cURL command based on your environment using the following Kafka host IPs or FQDNs for your host region:

Note: If you cannot connect to the Kafka host via FQDN but you can using the host IP, check that you have a DNS server configured.

Kafka hosts

 

North America (US)

EMEA (EU)

APAC (ANZ)

 Middle East (ME)
IPs

3.93.27.93

3.89.34.12

54.156.78.221

3.126.155.34

18.195.164.119

18.158.179.49

54.79.229.77

52.63.122.113

3.24.129.179

16.24.56.160

15.184.62.199

15.184.119.117
FQDNs kafka1.us.algocare.algosec.com kafka2.us.algocare.algosec.com kafka3.us.algocare.algosec.com kafka1.eu.algocare.algosec.com kafka2.eu.algocare.algosec.com kafka3.eu.algocare.algosec.com kafka1.anz.algocare.algosec.com kafka2.anz.algocare.algosec.com kafka3.anz.algocare.algosec.com

kafka1.me.algocare.algosec.com
kafka2.me.algocare.algosec.com
kafka3.me.algocare.algosec.com
 

Middle East (UAE)

India (IND)

 Singapore (SGP)  
IPs

3.28.175.107

3.28.108.196

51.112.85.53

35.154.207.124

3.7.173.136

3.7.20.28

47.129.191.37

52.221.210.9

18.140.54.59

  
FQDNs

kafka1.uae.algocare.algosec.com
kafka2.uae.algocare.algosec.com
kafka3.uae.algocare.algosec.com

kafka1.ind.algocare.algosec.com
kafka2.ind.algocare.algosec.com
kafka3.ind.algocare.algosec.com 		kafka1.sgp.algocare.algosec.com
kafka2.sgp.algocare.algosec.com
kafka3.sgp.algocare.algosec.com 		 

  • No Proxy Server: If you are not using a proxy server, run the following cURL command on the ASMS machine terminal for each of the Kafka host in your host region:

    Copy 
    curl -v -H "Sec-WebSocket-Protocol: chisel-v3" -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health

  • With Proxy Server: If you are using a proxy server, run the following cURL command on the ASMS machine terminal for each of the Kafka host in your host region:

    Copy 
    curl -pvx <proxy-server-ip>:<proxy-server-port> \
    -U <proxy-server-username>:<proxy-server-password> \
    -H "Sec-WebSocket-Protocol: chisel-v3" \
    -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health

Expected result:

  • Successful result returns:

     200 OK

  • Any other result:

    Indicates one of the following:

    • Routing rules or firewall policies in the customer environment are blocking the traffic

    • The traffic is detected as malware by a security device

    If the result is not 200 OK, continue to Step 2 to isolate the cause.

Step 2: Check tunnel connectivity for port access only (by-pass possible malware detection software)

Use this step only if Step 1 fails.

This test checks connectivity to port 8082 only, without the Chisel-specific header. It helps determine whether the issue is strictly related to routing or firewall rules.

  • No Proxy Server

    If you are not using a proxy server, run the following command on the ASMS machine terminal for each Kafka host in your region:

    Copy 
    curl -v -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health

  • With Proxy Server

    If you are using a proxy server, run the following command on the ASMS machine terminal for each Kafka host in your region:

    Copy 
    curl -pvx <proxy-server-ip>:<proxy-server-port> \
    -U <proxy-server-username>:<proxy-server-password> \
    -X CONNECT http://<IP or FQDN of the Kafka host in your region>:8082/health

Expected result:

  • Successful result returns:

     200 OK

  • Any other result:

    Indicates that routing rules, firewall policies, or proxy restrictions in the customer environment are blocking outbound traffic over port 8082.

Step 3: Resolve and revalidate

  1. If Step 2 fails, fix the routing, firewall, or proxy rules to allow outbound traffic to the Kafka hosts over port 8082.

  2. Rerun the command in Step 1 (with the Sec-WebSocket-Protocol: chisel-v3 header).

  3. If Step 1 still fails after port access is confirmed, the traffic is likely being detected as malware, and the relevant security controls must be adjusted.

Step 4: Chisel still doesn't establish connectivity

If chisel still doesn't establish connectivity with AlgoSec SaaS Services:

  • No Proxy Server: Run a traffic recording on the ASMS machine to understand the problem.

  • With Proxy Server: Run a traffic recording on the ASMS machine and the proxy server to understand the problem.

To start/restart the HTTPS tunnel

We recommend you perform the following procedure on the Central Manager since changes to the HTTPS tunnel will be propagated, in any case, to all nodes. If required, you can also start and restart the tunnel on specific nodes.

Note: When the HTTPS tunnel is not running, the Start HTTPS tunnel option appears in the steps below. When it is already running, the Restart HTTPS tunnel option appears.

Do the following:

  1. In the algosec_conf main menu, enter 14 Product and cloud configuration.

  2. Enter 3 Cloud Integration.

  3. Enter 3 HTTPS tunnel Configuration.

  4. Enter 1 Start/Restart HTTPS tunnel.

  5. Confirm by entering y. The tunnel starts/restarts.