Issue with 504 Gateway Timeout Error When Initiating RTR Session using FalconPy

[joseraeiro]

Hello FalconPy Community,

I'm encountering an issue with a 504 Gateway Timeout error when trying to initiate a Real Time Response (RTR) session using FalconPy. This error occurs despite the target device being valid and online.

Goal:
I aim to establish an RTR session with a specific device, but I'm consistently facing a 504 Gateway Timeout error.

Source Code Example:

from falconpy import RealTimeResponse

CLIENT_ID = "redacted"
CLIENT_SECRET = "redacted"
DEVICE_ID = "valid_device_id"
ORIGIN = "your_origin"
QUEUE_OFFLINE = False  # Can be True or False
TIMEOUT = 30  # Timeout value
TIMEOUT_DURATION = "30s"  # Timeout duration

def init_rtr_session():
    falcon = RealTimeResponse(client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
    response = falcon.init_session(device_id=DEVICE_ID,
                                   origin=ORIGIN,
                                   queue_offline=QUEUE_OFFLINE,
                                   timeout=TIMEOUT,
                                   timeout_duration=TIMEOUT_DURATION)
    return response

response = init_rtr_session()
print(response)

Environment:

FalconPy Version: 1.2.16
Python Version: 3.11
Operating System: Kali Linux

Details:
The script hangs for a while before resulting in a 504 Gateway Timeout error. The complete error message is as follows:

{'status_code': 504, 'headers': {...}, 'body': {'meta': {...}, 'errors': [{'code': 504, 'message': "Gateway Timeout: Please provide trace-id='...' to support"}]}}

I've checked the network configurations, device status, and adjusted timeout settings, but the issue persists. Any advice or suggestions to resolve this would be highly appreciated.

[jshcodes]

Hi @joseraeiro -

Have you tried to a different host? The code as shown above successfully initializes a session for me (once I update the API details and device ID).

[joseraeiro]

Hello @jshcodes.

Have you tried to a different host? The code as shown above successfully initializes a session for me (once I update the API details and device ID).

Yes, I have, to the same result.

[joseraeiro]

On a side note (not sure if this is relevant or not) when I try to initiate a RTR session with an offline host the response is different and appears to acknowledge the situation:

{'status_code': 404, 'headers': {'Server': 'nginx', 'Date': 'Wed, 15 Nov 2023 15:50:32 GMT', 'Content-Type': 'application/json', 'Content-Length': '207', 'Connection': 'keep-alive', 'Content-Encoding': 'gzip', 'Strict-Transport-Security': 'max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains', 'X-Cs-Region': 'eu-1', 'X-Cs-Traceid': '0078d934-27d7-41ad-98d0-7f71ac0c44b0', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5999'}, 'body': {'meta': {'query_time': 0.644679567, 'powered_by': 'empower-api', 'trace_id': '0078d934-27d7-41ad-98d0-7f71ac0c44b0'}, 'resources': [], 'errors': [{'code': 40401, 'message': 'Could not establish sensor comms'}]}}

[jshcodes]

{'status_code': 504, 'headers': {...}, 'body': {'meta': {...}, 'errors': [{'code': 504, 'message': "Gateway Timeout: Please provide trace-id='...' to support"}]}}

Can you provide us the Trace ID mentioned above?

[joseraeiro]

Sure thing, here's the complete response of such a request:

{'status_code': 504, 'headers': {'Server': 'nginx', 'Date': 'Thu, 16 Nov 2023 09:14:53 GMT', 'Content-Type': 'application/json', 'Content-Length': '286', 'Connection': 'keep-alive', 'X-Content-Type-Options': 'nosniff', 'X-Cs-Traceid': '16efb526-d720-4356-a0bb-414de5bda8e5', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5999', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'}, 'body': {'meta': {'query_time': 2.01e-07, 'powered_by': 'crowdstrike-api-gateway', 'trace_id': '16efb526-d720-4356-a0bb-414de5bda8e5'}, 'errors': [{'code': 504, 'message': "Gateway Timeout: Please provide trace-id='16efb526-d720-4356-a0bb-414de5bda8e5' to support"}]}}

By the way, I'm not sure if this is relevant or not, but I have no trouble whatsover accessing other Crowdstrike API endpoints from the same machine, which should exclude any network related problems.

[joseraeiro]

I've contacted Crowdstrike support and they've mentioned some problem with my access token, which is odd because if I use the token that I receive in these request on other API endpoints I'm able to do so with success, and hence that rules out any issue with the access token, am I right?

Here's my current code:

from falconpy import oauth2 as FalconAuth, RealTimeResponse
import http.client
http.client.HTTPConnection.debuglevel = 1

import logging
logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)
req_log = logging.getLogger('requests.packages.urllib3')
req_log.setLevel(logging.DEBUG)
req_log.propagate = True

# Replace these with your CrowdStrike API credentials
CLIENT_ID = ""
CLIENT_SECRET = ""
DEVICE_ID = ""  # Replace with the target device ID


BASE_URL = "https://api.eu-1.crowdstrike.com"  # Use the EU endpoint directly


def get_auth_token():
    auth = FalconAuth.OAuth2(base_url=BASE_URL, client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
    token_response = auth.token()
    
    if 'body' in token_response and 'access_token' in token_response['body']:
        return token_response['body']['access_token']
    else:
        print("Error obtaining token:", token_response)
        return None

def init_rtr_session(access_token):
    falcon_rtr = RealTimeResponse(base_url=BASE_URL, access_token=access_token)
    response = falcon_rtr.init_session(device_id=DEVICE_ID)
    return response

# Rest of your script remains the same...

def main():
    token = get_auth_token()
    if token:
        response = init_rtr_session(token)
        print("Response from RTR Initiation:", response)
    else:
        print("Failed to obtain access token")

if __name__ == "__main__":
    main()

Which is producing the following output:

DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.eu-1.crowdstrike.com:443
send: b'POST /oauth2/token HTTP/1.1\r\nHost: api.eu-1.crowdstrike.com\r\nUser-Agent: crowdstrike-falconpy/1.2.16\r\nAccept-Encoding: gzip, deflate, br\r\nAccept: */*\r\nConnection: keep-alive\r\nCrowdStrike-SDK: crowdstrike-falconpy/1.2.16\r\nContent-Length: 97\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n'
send: b'client_id=REDACTED&client_secret=REDACTED'
reply: 'HTTP/1.1 201 Created\r\n'
header: Server: nginx
header: Date: Fri, 17 Nov 2023 12:58:24 GMT
header: Content-Type: application/json
header: Content-Length: 1251
header: Connection: keep-alive
header: X-Cs-Region: eu-1
header: X-Cs-Traceid: 0ab6c135-27c3-4cc7-9c25-76dae21143af
header: X-Ratelimit-Limit: 300
header: X-Ratelimit-Remaining: 299
header: Strict-Transport-Security: max-age=31536000; includeSubDomains
DEBUG:urllib3.connectionpool:https://api.eu-1.crowdstrike.com:443 "POST /oauth2/token HTTP/1.1" 201 1251
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.eu-1.crowdstrike.com:443
send: b'POST /real-time-response/entities/sessions/v1 HTTP/1.1\r\nHost: api.eu-1.crowdstrike.com\r\nUser-Agent: crowdstrike-falconpy/1.2.16\r\nAccept-Encoding: gzip, deflate, br\r\nAccept: */*\r\nConnection: keep-alive\r\nAuthorization: Bearer [REDACTED] \r\nCrowdStrike-SDK: crowdstrike-falconpy/1.2.16\r\nContent-Length: 49\r\nContent-Type: application/json\r\n\r\n'
send: b'{"device_id": "REDACTED"}'
reply: 'HTTP/1.1 504 Gateway Timeout\r\n'
header: Server: nginx
header: Date: Fri, 17 Nov 2023 13:01:20 GMT
header: Content-Type: application/json
header: Content-Length: 286
header: Connection: keep-alive
header: X-Content-Type-Options: nosniff
header: X-Cs-Traceid: a0163e87-7301-4e3a-b86e-f905528e7f67
header: X-Ratelimit-Limit: 6000
header: X-Ratelimit-Remaining: 5999
header: Strict-Transport-Security: max-age=31536000; includeSubDomains
DEBUG:urllib3.connectionpool:https://api.eu-1.crowdstrike.com:443 "POST /real-time-response/entities/sessions/v1 HTTP/1.1" 504 286
Response from RTR Initiation: {'status_code': 504, 'headers': {'Server': 'nginx', 'Date': 'Fri, 17 Nov 2023 13:01:20 GMT', 'Content-Type': 'application/json', 'Content-Length': '286', 'Connection': 'keep-alive', 'X-Content-Type-Options': 'nosniff', 'X-Cs-Traceid': 'a0163e87-7301-4e3a-b86e-f905528e7f67', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5999', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'}, 'body': {'meta': {'query_time': 2.23e-07, 'powered_by': 'crowdstrike-api-gateway', 'trace_id': 'a0163e87-7301-4e3a-b86e-f905528e7f67'}, 'errors': [{'code': 504, 'message': "Gateway Timeout: Please provide trace-id='a0163e87-7301-4e3a-b86e-f905528e7f67' to support"}]}}

As I have mentioned earlier, I'm perfectly able to use the Bearer token that's represented by [REDACTED] in the output.

[jshcodes]

We're researching this error now.

Side note: FalconPy native debugging was released in v1.3.0. You will have more helpful debug output if you upgrade to the latest version of the library.

[jshcodes]

Is this a MSSP scenario? (i.e. is this endpoint associated with a child tenant and not the parent?)

We need to pass the member_cid of the child tenant when constructing the instance of the RTR Service Class if we are trying to initialize a session using Flight Control.

[joseraeiro]

It was this! Now it's working. Thank you very much for your kind help.

[morcef]

Hi @joseraeiro ,
I just wanted to give you a heads-up that it seems like you edited your comment and redacted your credentials after posting. Anyone subscribing to these issues still have acces to your credentials through the subscription email. I suggest regenerating the client secret, or deleting it and creating a new client 😉

[joseraeiro]

Hello @morcef!

Thanks for pointing that out. Appropriate measures have been taken.