Some professional users may encounter an authorization error when activating a license key. This error indicates a communication issue between the Safeline server and the license server. Follow the steps below to diagnose and resolve the issue.
Step 0: Set License Server Domain Variable
First, set the license server domain based on your WAF version:
# For WAF version >= 8.0.0
LICENSE_SERVER="safeline.stream.safepoint.cloud"
# For WAF version < 8.0.0
LICENSE_SERVER="safeline-cloud.chaitin.com"
Step 1: Verify Host Network Connectivity
Run a telnet test on the Safeline server to check if the network is functioning properly. If you see Connected to $LICENSE_SERVER, the host network is working correctly.
$ telnet $LICENSE_SERVER 50052
Trying 120.26.93.124...
Connected to $LICENSE_SERVER.
Escape character is '^]'.
^C
Connection closed by foreign host.
If the connection fails, check whether the host has internet access and whether the cloud provider's security group allows outbound traffic.
Step 2: Verify Container Network Connectivity
The Safeline licensing client runs inside the safeline-mgt container. If the host network is working, confirm that the container can access the internet. Since telnet is not available in the mgt container, use ping to check network connectivity:
$ docker exec safeline-mgt ping $LICENSE_SERVER
PING $LICENSE_SERVER (120.26.93.124): 56 data bytes
64 bytes from 120.26.93.124: seq=0 ttl=44 time=32.424 ms
64 bytes from 120.26.93.124: seq=1 ttl=44 time=32.374 ms
If ping fails, analyze traffic flow as follows:
Check iptables Rules
Inspect outbound rules for any DROP entries:
iptables -L -v -n --line-numbers
Use tcpdump to Capture Traffic
Capture TCP traffic between the server and the licensing server to determine if the handshake completes successfully.
$ tcpdump -i any -nn host $LICENSE_SERVER
Example output:
16:45:45.253527 eth0 Out IP 172.22.189.247.42790 > 120.26.93.124.50052: Flags [S], seq 808064468, win 64240, options [mss 1460,sackOK,TS val 1020606707 ecr 0,nop,wscale 7], length 0
16:45:45.283391 eth0 In IP 120.26.93.124.50052 > 172.22.189.247.42790: Flags [S.], seq 3474622497, ack 808064469, win 65160, options [mss 1460,sackOK,TS val 1564198957 ecr 1020606707,nop,wscale 7], length 0
Conclusion
- If iptables or nftables blocks traffic, adjust the rules.
- If SYN packets are sent but no response is received, investigate network issues or check if the target server is reachable.
- If NAT/SNAT issues exist, inspect
iptables -t natrules.
Start by capturing packets to confirm if SYN packets are sent successfully, then use iptables and conntrack tools for further debugging.
Join the SafeLine Community
Want to try a powerful, open source WAF?
Top comments (0)