The vast majority of scan hub installations go smoothly, but if you do encounter an error when importing the AppCheck scan hub it can be difficult to diagnose. This article lists some issues customers have experienced in the past and advice on how to solve them.
If you encounter a problem when setting up the scan hub, check to see if the error you encounter is described below. If it is not, or if the instructions below do not help you resolve it, please raise a ticket with AppCheck Support.
- Error "We cannot detect an internet connection" When Beginning Setup Wizard
- You cannot access the scan hub's local web GUI
- Error "Sorry, this license key is not able to be registered" When Submitting License Key in Hub's Dashboard
- Registration Appeared to Work but the Services Are Not Appearing or Starting
- You Believe the Hub has Access to an Address but the Scanner can’t find Anything
- Error "Controller SATA is not supported" When Importing the OVA File
Error "We cannot detect an internet connection" When Beginning Setup Wizard
The hub sends a request to Google's DNS servers (8.8.8.8 and 8.8.4.4) on port 53 to see if it has an internet connection. This error indicates that the test request is being blocked (your firewall team should be able to see this in your firewall logs). Opening up this access should allow you to proceed.
You cannot access the scan hub's local web GUI
The scan hub's local web GUI runs on port 8080, and should be accessible on the hub's internal IP address. For example, if your scan hub's IP address is 10.1.2.3 then the URL of the local web GUI will be https://10.1.2.3:8080/.
If you cannot access this, then there are two possible causes: either the web GUI is running, but access is blocked from your location, or the web GUI is not running.
If the web GUI service is running then you will be able to access it from the scan hub's Command Line Interface (CLI). You can test this but logging in to the CLI and running a curl command, like so (using the example IP address listed above):
curl -Lk https://10.1.2.3:8080/
If the service is running you should see HTML, for example:
If the service is not running you will see an error, most likely "Failed to connect: Connection refused". In this case, the most likely explanation is that the hub was not able to contact the AppCheck servers to download the web GUI software. See Testing the connection from your Private Scan Hub to AppCheck to find out how to troubleshoot this. Another potential cause is insufficient resources on the scan hub VM, such as RAM or storage. Confirm your VM meets the requirements listed in the setup guide and restart the VM if you need to make any changes.
If the service is running, and you can see the HTML returned in the hub's CLI, but you cannot access it from elsewhere, then there is a problem with the network configuration for your VM. You will need to liaise with your network administrators and the managers of your hypervisor to determine the correct settings.
Error "Sorry, this license key is not able to be registered" When Submitting License Key in Hub's Dashboard
If the connectivity checks pass but you get this error when entering license key, the likely cause is either a problem with the license key provided by AppCheck, or a problem with the connectivity that our checks were not able to detect.
This command, run on the scan hub’s command line will help test both possibilities:
curl https://licensing.appcheck-ng.com/license/check/[license key]/test-string
It will connect to the AppCheck's licensing server and confirm that the license key is ready to use. The response should be:
{"success":true}
If the response is
{"success":false}
then the connectivity seems OK, but there looks to be something wrong with the key. Contact AppCheck support who will confirm this and provide a replacement license key.
Sometimes customers have found that their outbound firewall will intercept the request and corrupt it, and you'll get an error/warning, for example complaining that the SSL certificate is invalid/self-signed. You would need to investigate this with your network team - if you have something like a firewall or proxy intercepting the outbound traffic from the hub then you should arrange for it to be bypassed.
At the same time as conducting these checks also contact AppCheck Support so they can confirm there is no problem on AppCheck's side which could produce a similar response.
Registration Appeared to Work but the Services Are Not Appearing or Starting
This is not a known issue exactly, but something that can occasionally be seen for a number of reasons. If it occurs you can help accelerate AppCheck's investigation by gather the following information ahead of raising a ticket (AppCheck Support do not have the access to your network necessary to gather this information themselves):
- Go to the "Maintenance" tab on the hub's local UI.
- Run both the options under "Connectivity", and take a screenshot of the output.
- Run the "Update this hub" maintenance script, then "Read logs of last update attempt" and take a screenshot.
Send the screenshots to AppCheck support with a description of the problem you are encountering.
You Believe the Hub Has Access to an Address but the Scanner Does Not Find It
This command, run on the scan hub’s command line will run a short nmap scan against the target IP address, from the scan hub:
docker run -it scanhub_apckinfrav2_1 nmap -Pn -T5 [target IP address]
You can use this to confirm connectivity, and that the necessary ports are open. If connectivity is not in place, or the ports are not open, your internal teams will need to resolve this. If this short scan shows hosts/ports that the AppCheck scan does not find, double check your scan settings and if they look correct then contact AppCheck Support.
Error "Controller SATA is not supported" When Importing the OVA File
The .ova file AppCheck provides contains both a disk image and a set of configuration defaults that instruct your virtual machine software how to configure the appliance. For storage control the configuration uses a SATA controller. Some older VM platforms do not support SATA controllers.
If this is the case for you the recommended course of action is to upgrade your virtual machine software.
If that is not possible, you can configure the VM with a different storage controller (eg IDE), but you will need to extract the disk image from the .ova file and configure the VM manually. This will be a non-standard deployment and AppCheck Technical Support may not be able to resolve problems you encounter, but we will try. Also bear in mind using other controllers such as IDE may result in poor performance and long running scans.
The .ova file is a tar archive, so you should be able to extract the contents just like you would a .tgz file. Once you have the disk image from the .ova contents you can set up a new VM using that image, being sure to confirm to the hardware requirements described in the internal hub setup guide.
Comments
0 comments
Article is closed for comments.