Scanner Appliance Troubleshooting and FAQs

Document created by Qualys Documentation Employee on Jan 10, 2013Last modified by Qualys Documentation Employee on Feb 27, 2020
Version 14Show Document
  • View in full screen mode

The following FAQs apply to physical scanner appliances and virtual scanner appliances.

Communication Failure message

Appliance Network Errors

Network Errors using older appliance model

Tell me about proxy support

Tell me about split network configuration

 



Communication Failure message

The COMMUNICATION FAILURE message appears if there is a network breakdown between the scanner and the Qualys Cloud Platform.

 

The communication failure may be due to one of these reasons: the local network goes down, Internet connectivity is lost for some reason, or any of the network devices between the scanner and the Qualys Cloud Platform goes down.

 

Note the sequence of events following a network breakdown:

 

- If there are no scans and/or maps running on the appliance: The next time the scanner sends a polling request to the Qualys Cloud Platform, the polling request fails, and then the COMMUNICATION FAILURE message appears.

 

- If there are scans and/or maps running on the appliance: The COMMUNICATION FAILURE message appears after the running scans and/or maps time out. In this case it is recommended you cancel any running scans and/or maps and restart them to ensure that results are accurate.

 

Once the network breakdown is resolved, you'll see the scanner friendly name and IP address and you scan start new scans.

 

The COMMUNICATION FAILURE message remains until the next time the scanner makes a successful polling request to the Qualys Cloud Platform. There may be a lag time after the network is restored and before the scanner is back online, depending on when the next polling request is scheduled. Additional time is necessary for communications to be processed by a Proxy server if the scanner has a Proxy configuration.

 

Appliance Network Errors

An appliance network error indicates the Scanner attempted to connect to the Qualys Cloud Platform and failed.
Important! The Scanner is not functional until the error is resolved.

 

LAN / WAN Errors
Physical Scanner Appliance ErrorVirtual / Cloud / Consultant Scanner Appliance ErrorSolution
no CARRIER on LAN interfaceThe LAN network cable/port may be disconnected.This error appears when attempting to configure proxy or personalization while the LAN network cable/port is disconnected. Check that the LAN port is connected.
no CARRIER on WAN interfaceThe WAN network cable/port may be disconnected.This error appears when attempting to configure proxy or personalization while the WAN network cable/port is disconnected. Check that the WAN port is connected.
LAN has no IPv4 addressThe LAN interface is unable to obtain a valid IPv4 address.Check that the LAN cable/port is connected. If configuring LAN for DHCP-IP assignment, make sure the DHCP server is accessible and functional.
WAN has no IPv4 addressThe WAN interface is unable to obtain a valid IPv4 address.Check that the WAN cable/port is connected. If configuring WAN for DHCP-IP assignment, make sure the DHCP server is accessible and functional.
LAN has no DNS serversLAN has no DNS servers configuredCheck that the LAN interface has valid DNS servers configured.
WAN has no DNS serversWAN has no DNS servers configuredCheck that the WAN interface has valid DNS servers configured.
LAN DNS can't resolve QG URLLAN DNS servers cannot resolve the QG URL=[<PlatformURL>]Ensure the LAN’s configured DNS servers can resolve the Qualys Platform URL. See https://www.qualys.com/platform-identification/ for platform URLs.
WAN DNS can't resolve QG URLWAN DNS servers cannot resolve the QG URL=[<PlatformURL>]Ensure the WAN’s configured DNS servers can resolve the Qualys Platform URL. See https://www.qualys.com/platform-identification/ for platform URLs.
Invalid LAN IP configurationInvalid or unusable IP in LAN configurationEnsure a valid IP address is assigned to the LAN interface.
Invalid WAN IP configurationInvalid or unusable IP in WAN configurationEnsure a valid IP address is assigned to the WAN interface.
LAN DNS can't resolve proxyLAN DNS servers cannot resolve proxy FQDN=<ProxyFQDN>Ensure LAN DNS server(s) can resolve the scanner’s configured proxy hostname.
WAN DNS can't resolve proxyWAN DNS servers cannot resolve proxy FQDN=<ProxyFQDN>Ensure WAN DNS server(s) can resolve the scanner’s configured proxy hostname.
N/ADifferent types/models of Network adapters are configured. Qualys advises against doing that.For VMware-based scanners, select the same network adapter type for LAN and WAN interfaces, e.g. vmxnet3 for LAN and WAN network adapters.
LAN DHCP lease has no gatewayLAN DHCP lease has no valid gatewayEnsure DHCP server is assigning a valid gateway for LAN interface.
WAN DHCP lease has no gatewayWAN DHCP lease has no valid gatewayEnsure DHCP server is assigning a valid gateway for WAN interface.
Duplicate LAN and WAN configLAN and WAN are on the same network [<IPaddress>]Ensure LAN interface has network connectivity to its configured DNS servers.
LAN DNS server not reachableLAN DNS servers [<DNS1>, <DNS2>] not reachableEnsure LAN interface has network connectivity to its configured DNS servers.
WAN DNS server not reachableWAN DNS servers [<DNS1>, <DNS2>] not reachableEnsure WAN interface has network connectivity to its configured DNS servers.
LAN and WAN same gatewayLAN and WAN has the same gateway address [<GatewayIP>]LAN and WAN must be configured with different subnets and gateway addresses.
Duplicate IP detectedAnother host already uses the same address on LAN/WANEnsure LAN/WAN is configured with an IP address that is not already in use by another host on the network.
Proxy Errors
Physical Scanner Appliance ErrorVirtual / Cloud / Consultant Scanner Appliance ErrorSolution
Invalid proxy IPInvalid or unusable proxy IP=<IPaddress>Ensure proxy configuration on the scanner is configured with a valid IP address for the proxy.
Invalid proxy auth configEmpty username configured for proxy authentication.Ensure proxy configuration on the scanner is configured with valid proxy username and password.
unexpected proxy HTTP/403Error: Connection with local proxy was interrupted while receiving data: curl_code=56 err=[Received HTTP code 403 from proxy after CONNECT] url=<PlatformURL>/msp/iscan_init_time.php via_proxy=<ProxyIP>:<ProxyPort> connect_code=403 local_ip=<ScannerIP>:38250 iface=eth0 remote_ip=<ProxyIP>:<ProxyPort>

Ensure configured proxy user on the scanner has authorization to connect to the Qualys Platform. See https://www.qualys.com/platform-identification/ for platform URLs.

unexpected proxy HTTP/407

Error: Connection with local proxy was interrupted while receiving data: curl_code=56 err=[Received HTTP code 407 from proxy after CONNECT] url=<PlatformURL>/msp/iscan_init_time.php via_proxy=<ProxyIP>:<ProxyPort> connect_code=407 local_ip=<ScannerIP>:38248 iface=eth0 remote_ip=<ProxyIP>:<ProxyPort>Ensure the scanner is configured with valid proxy username and password. See https://www.qualys.com/platform-identification/ for platform URLs.

unexpected proxy HTTP/503

Error: Connection with local proxy was interrupted while receiving data: curl_code=56 err=[Received HTTP code 503 from proxy after CONNECT] url=<PlatformURL>/msp/iscan_init_time.php via_proxy=<ProxyIP>:<ProxyPort> connect_code=503 local_ip=<ScannerIP>:38252 iface=eth0 remote_ip=<ProxyIP>:<ProxyPort>Ensure the proxy server can connect to the Qualys Platform. See https://www.qualys.com/platform-identification/ for platform URLs.

Personalization Code Errors

Physical Scanner Appliance ErrorVirtual / Cloud / Consultant Scanner Appliance ErrorSolution
N/AInvalid personalization code [<PersCode>] entered - please retry.Provide a valid personalization code for scanner activation.
N/APersonalization code [<PersCode>] was rejected by Qualys - most likely the code is already in use.Retry scanner activation with a valid and unused personalization code.
Qualys Platform Connectivity Errors
Physical Scanner Appliance ErrorVirtual / Cloud / Consultant Scanner Appliance ErrorSolution
Error connect to server (07)

With Proxy Configuration:
Error: TCP connect to local proxy failed: curl_code=7 err=[Failed to connect to <ProxyIP>:<ProxyPort>: Connection refused] url= <PlatformURL> via_proxy=<ProxyIP>:<ProxyPort> local_ip=<ScannerIP> iface=eth0 remote_ip=<ProxyIP>:<ProxyPort>

 

Without Proxy Configuration:
Error: TCP connect to Qualys platform failed: curl_code=07 err= [Connection refused] url= <PlatformURL> local_ip=<ScannerIP> iface=eth0 remote_ip=<PlatformURL>:443

With Proxy Configuration:

Ensure proxy configuration on the scanner is configured with valid host and port. Ensure the proxy port is accessible from the scanner’s LAN or WAN interface.

 

Without Proxy Configuration:

Ensure the scanner’s LAN (single-network) or WAN (split-network) interface can connect to the Qualys Platform and is not blocked by any firewall rules.

 

See https://www.qualys.com/platform-identification/ for platform URLs.

Timeout was reached (28)

With Proxy Configuration:

Error: TCP connect to local proxy timed out: curl_code=28 err=[Connection timed out after 30000 milliseconds] url=<PlatformURL>/msp/iscan_init_time.php via_proxy=<ProxyIP>:<ProxyPort> local_ip=<ScannerIP> iface=eth0 remote_ip=<ProxyIP>:<ProxyPort>

 

Without Proxy Configuration:

Error: TCP connect to Qualys platform timed out: curl_code=28 err=[Connection timed out after 30001 milliseconds] url=<PlatformURL>/msp/iscan_init_time.php local_ip=<ScannerIP> iface=eth0 remote_ip=<PlatformURL>:443

With Proxy Configuration:

Ensure the proxy can connect to the Qualys Platform within 30 seconds and is not blocked by any firewall rules.

 

Without Proxy Configuration:

Ensure the scanner’s LAN (single-network) or WAN (split-network) interface can connect to the Qualys Platform within 30 seconds and is not blocked by any firewall rules.

 

See https://www.qualys.com/platform-identification/ for platform URLs.

Failed sending peer data (55)

With Proxy Configuration:
Error: Connection with local proxy was interrupted while sending data: curl_code=55 err=[Failed sending peer data] url= <PlatformURL> via_proxy=<ProxyIP>:<ProxyPort> local_ip=<ScannerIP> iface=eth0 remote_ip=<ProxyIP>:<ProxyPort>

 

Without Proxy Configuration:
Error: Connection with Qualys platform was interrupted while sending data: curl_code=55 err=[Failed sending data to the peer] url= <PlatformURL> local_ip=<ScannerIP> iface=eth0 remote_ip=<PlatformURL>:443

With Proxy Configuration:
Failure while sending network data to proxy. Ensure the scanner can communicate with the configured proxy server.

 

Without Proxy Configuration:
Failure while sending network data. Ensure the scanner’s LAN (single-network) or WAN (split-network) interface can connect to the Qualys Platform and is not blocked by any firewall rules or network access control devices.

 

See https://www.qualys.com/platform-identification/ for platform URLs. 

Fail receiving peer data (56)

With Proxy Configuration:
Error: Connection with local proxy was interrupted while sending data: curl_code=56 err=[Failure when receiving data from the peer] url= <PlatformURL> via_proxy=<ProxyIP>:<ProxyPort> local_ip=<ScannerIP> iface=eth0 remote_ip=<PlatformURL>:443

 

Without Proxy Configuration:
Error: Connection with Qualys platform was interrupted while receiving data: curl_code=56 err=[Failure when receiving data from the peer] url= <PlatformURL> local_ip=<ScannerIP> iface=eth0 remote_ip=<PlatformURL>:443

With Proxy Configuration:
Failure while receiving network data from proxy. Ensure the scanner can communicate with the configured proxy server.

 

Without Proxy Configuration:
Failure while receiving network data. Ensure the scanner’s LAN (single-network) or WAN (split-network) interface can connect to the Qualys Platform and is not blocked by any firewall rules or network access control devices.

 

See https://www.qualys.com/platform-identification/ for platform URLs.

SSL peer cert was not OK

Error: curl_code=60 err=[SSL certificate problem: error number 1] url=<PlatformURL>/msp/iscan_bind.php via_proxy=<ProxyIP>:<ProxyPort> connect_code=200 local_ip=<ScannerIP>:35320 iface=eth0 remote_ip=<ProxyIP>:<ProxyPort>

This issue may occur when there is a proxy or intercepting device interfering with the certificate exchange process between the scanner and Qualys Platform. Please contact Qualys Support. See https://www.qualys.com/platform-identification/ for platform URLs.

Unexpected QG HTTP/401

Error: Unexpected Qualys HTTP/401 - please contact customer support.

Please report this error to Qualys Support and include all configuration details.

Unexpected QG HTTP/500

Error: Unexpected Qualys HTTP/500 - please contact customer support.

Please report this error to Qualys Support and include all configuration details.

This scan_id does not exist

This Scanner is not registered on Qualys Platform.

The scanner is not registered with Qualys. Please contact Qualys Support.

This Scanner is disabled

This Scanner has been disabled in your Qualys account.

Please report this error to Qualys Support.

Account expired

The Qualys subscription for this Scanner has expired.

Please report this error to Qualys Support. 

Filesystem Mount Errors
Physical Scanner Appliance ErrorVirtual / Cloud / Consultant Scanner Appliance ErrorSolution
EFS fsck fatal errorse2fsck error - please contact customer support.Please report this error to Qualys Support.
EFS mount fatal errormount error - please contact customer support.Please report this error to Qualys Support.

 

 

Network Errors using older appliance model

A network error is an appliance configuration error indicating the Scanner Appliance attempted to connect to the Qualys Cloud Platform and failed.

 

Have an older appliance model? Errors are reported differently using older models. You might want to check out our Quick Start Guide (prior version)
https://www.qualys.com/docs/qualys-scanner-appliance-quick-start-guide-3120-a1.pdf

 

Important! The Scanner Appliance is not functional until the error is resolved.

Please refer to the description provided to help you resolve the issue. If you still need help, identify the error code when you contact Qualys Support.

 

Error CodeDescription
E00, E01Internal error (NTLM Proxy error)
E02Internal error (Proxy error)
E03Proxy configuration error
E04No connectivity after the Proxy was disabled
E05DNS lookup of the Qualys server failed (maybe network connectivity problem)
E06Cannot reach the Qualys server via HTTPS
E07Invalid LAN IP address or LAN gateway address
E08Invalid WAN IP address or WAN gateway address
E09LAN IP address or LAN gateway address cannot be 127.0.0.1
E10Could not configure the LAN interface
E11WAN IP address or WAN gateway address cannot be 127.0.0.1
E12Could not configure the WAN interface
E13DNS lookup of the Qualys server failed due to a network connectivity problem
E14DNS lookup of the Qualys server failed during scanner activation due to a network connectivity problem

 

More general error codes may be overwritten by more specific ones. For example, the scanner may return the error code E04 (No connectivity after the Proxy was disabled). After trying to connect for a while, the error code may be overwritten by E13 (DNS lookup of the Qualys Cloud Platform server failed). When troubleshooting the network error, it's useful to watch these error codes scroll by.

 

Tell me about proxy support

The scanner appliance includes Proxy support with or without authentication - Basic or NTLM. The Proxy server must be assigned a static IP address and must allow transparent SSL tunneling. Proxy level termination (as implemented in SSL bridging, for example) is not supported. The appliance does not support Proxy servers in networking environments where the Proxy server IP address is dynamically assigned. The appliance does not support SOCKS proxies.

 

While using a scanner appliance with a Proxy configuration, you may notice the following:

 

- Lag Time for configuration changes to take effect. Changes may take effect after a period of time that is significantly longer than the polling interval. This is because there is additional time necessary for communications to be processed by the Proxy server.

 

- No results or incomplete results. If the Proxy server sets limits for the absolute session timeout and/or the amount of outbound data that can be sent from the scanner, you may receive no results or incomplete results. It’s possible that your scans will terminate if these limits are set and a large number of IPs are scanned.

 

Tell me about split network configuration

By default the scanner appliance LAN interface services all traffic to the Qualys Cloud Platform. This includes management traffic (software updates, health check, scan data upload) and scanning traffic.

 

traffic_stand.jpg

 

You have the option to configure a split network configuration for your appliance by configuring the WAN interface using the scanner appliance console. This enables the use of scanner appliance in networks that do not have Internet access - either direct or via SSL proxy. Once configured, management traffic will be routed through the WAN interface and scanning traffic will be routed through the LAN interface. No internal traffic will be routed or bridged to the WAN interface, and no management traffic will be routed or bridged to the LAN interface.

 

traffic_split2.jpg

4 people found this helpful

Attachments

    Outcomes