Some users may encounter connection errors when activating a SafeLine license key. This typically means the WAF instance cannot reach our license server. This guide walks you through step-by-step diagnostics to help you identify and fix the issue.
Step 0: Configure the License Server Domain
Set the correct license server domain according to your SafeLine version:
# For SafeLine WAF version >= 8.0.0
LICENSE_SERVER="safeline.stream.safepoint.cloud"
# For SafeLine WAF version < 8.0.0
LICENSE_SERVER="safeline-cloud.chaitin.com"
Step 1: Check Host-Level Network Connectivity
Run a telnet test on the host machine to verify outbound connectivity to the license server:
telnet $LICENSE_SERVER 50052
If you see output like:
Trying 120.26.93.124...
Connected to $LICENSE_SERVER.
Escape character is '^]'.
Your host network is working as expected.
β If the connection fails, check if the host has internet access and ensure your cloud providerβs security group/firewall allows outbound traffic on port
50052.
Step 2: Check Container-Level Network Access
The license client runs inside the safeline-mgt container. Even if the host has network access, the container may not.
Since telnet is not available in the container, use ping to test connectivity:
docker exec safeline-mgt ping $LICENSE_SERVER
Expected output:
PING $LICENSE_SERVER (120.26.93.124): 56 data bytes
64 bytes from 120.26.93.124: seq=0 ttl=44 time=32.4 ms
64 bytes from 120.26.93.124: seq=1 ttl=44 time=32.3 ms
If the ping fails, move on to deeper diagnostics.
Step 3: Inspect Firewall Rules (iptables/nftables)
Run the following to check if any DROP rules are blocking outbound traffic:
iptables -L -v -n --line-numbers
Look for any suspicious rules in the OUTPUT chain.
Step 4: Use tcpdump for Traffic Analysis
Use tcpdump to capture traffic between your SafeLine server and the license server to see whether the TCP handshake is happening:
tcpdump -i any -nn host $LICENSE_SERVER
Example output:
eth0 Out IP 172.22.189.247.42790 > 120.26.93.124.50052: Flags [S]
eth0 In IP 120.26.93.124.50052 > 172.22.189.247.42790: Flags [S.]
This indicates a successful TCP handshake. If you see outbound SYNs but no responses, the issue is likely with the network path or a firewall in between.
π Common Issues & How to Fix Them
| Issue | Possible Cause | Fix |
|---|---|---|
Cannot telnet from host |
No internet or outbound rule blocked | Check cloud security group or firewall |
Cannot ping from container |
Container network misconfiguration | Check bridge/network mode and routing |
SYN sent, no ACK returned |
Upstream firewall or blocked route | Inspect traffic path using tcpdump |
| NAT/SNAT issues | Improper masquerading/NAT config | Review iptables -t nat rules |
| Dropped by firewall | Manual DROP rules in iptables |
Adjust or whitelist required rules |
Final Tip
Start with packet capture (tcpdump) to confirm that SYN packets are being sent. Then use iptables, conntrack, or cloud provider dashboards to trace the traffic flow and identify any bottlenecks.
Once connectivity is restored, reattempt the license activation.
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (1)
ChatGPT said:
If you're seeing the "SafeLine WAF Can't Reach License Server" error, itβs usually due to network restrictions, DNS misconfigurations, or firewall rules blocking outbound connections. Start by checking:
Internet access from the WAF server
DNS resolution for the license server URL
Any outbound port (usually 443) blocks by your firewall
Whitelisting the license server domain or temporarily disabling strict outbound rules can often resolve the issue.
Also, if you're running this in a business environment and handling sensitive data like invoices or client records, make sure your network security doesnβt interfere with accounting platforms. We recently helped a client streamline their secure setup while also integrating VAT services in cyprus to ensure smooth reporting and submissions.