This content originally appeared on DEV Community and was authored by Sharon
Some users may encounter connection errors when activating a SafeLine license key. This typically means the WAF instance cannot reach our license server. This guide walks you through step-by-step diagnostics to help you identify and fix the issue.
Step 0: Configure the License Server Domain
Set the correct license server domain according to your SafeLine version:
# For SafeLine WAF version >= 8.0.0
LICENSE_SERVER="safeline.stream.safepoint.cloud"
# For SafeLine WAF version < 8.0.0
LICENSE_SERVER="safeline-cloud.chaitin.com"
Step 1: Check Host-Level Network Connectivity
Run a telnet test on the host machine to verify outbound connectivity to the license server:
telnet $LICENSE_SERVER 50052
If you see output like:
Trying 120.26.93.124...
Connected to $LICENSE_SERVER.
Escape character is '^]'.
Your host network is working as expected.
If the connection fails, check if the host has internet access and ensure your cloud provider’s security group/firewall allows outbound traffic on port
50052.
Step 2: Check Container-Level Network Access
The license client runs inside the safeline-mgt container. Even if the host has network access, the container may not.
Since telnet is not available in the container, use ping to test connectivity:
docker exec safeline-mgt ping $LICENSE_SERVER
Expected output:
PING $LICENSE_SERVER (120.26.93.124): 56 data bytes
64 bytes from 120.26.93.124: seq=0 ttl=44 time=32.4 ms
64 bytes from 120.26.93.124: seq=1 ttl=44 time=32.3 ms
If the ping fails, move on to deeper diagnostics.
Step 3: Inspect Firewall Rules (iptables/nftables)
Run the following to check if any DROP rules are blocking outbound traffic:
iptables -L -v -n --line-numbers
Look for any suspicious rules in the OUTPUT chain.
Step 4: Use tcpdump for Traffic Analysis
Use tcpdump to capture traffic between your SafeLine server and the license server to see whether the TCP handshake is happening:
tcpdump -i any -nn host $LICENSE_SERVER
Example output:
eth0 Out IP 172.22.189.247.42790 > 120.26.93.124.50052: Flags [S]
eth0 In IP 120.26.93.124.50052 > 172.22.189.247.42790: Flags [S.]
This indicates a successful TCP handshake. If you see outbound SYNs but no responses, the issue is likely with the network path or a firewall in between.
Common Issues & How to Fix Them
| Issue | Possible Cause | Fix |
|---|---|---|
Cannot telnet from host |
No internet or outbound rule blocked | Check cloud security group or firewall |
Cannot ping from container |
Container network misconfiguration | Check bridge/network mode and routing |
SYN sent, no ACK returned |
Upstream firewall or blocked route | Inspect traffic path using tcpdump |
| NAT/SNAT issues | Improper masquerading/NAT config | Review iptables -t nat rules |
| Dropped by firewall | Manual DROP rules in iptables |
Adjust or whitelist required rules |
Final Tip
Start with packet capture (tcpdump) to confirm that SYN packets are being sent. Then use iptables, conntrack, or cloud provider dashboards to trace the traffic flow and identify any bottlenecks.
Once connectivity is restored, reattempt the license activation.
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
This content originally appeared on DEV Community and was authored by Sharon