Agent disconnects - Unable to send file 'merged.mg' to agent ID

[Jay]

Hello,

I've got a new agent that I'm trying to register.  This agent is running on a RHEL 8.5 server, version is 4.3.1.  Wazuh Manager is also 4.3.1 on a RHEL 8.5 server.  Firewalls between the agent and manager have TCP ports 1514 and 1515 open, this has been verified with tcpdump.  DNS is setup correctly, both forward and reverse records.  Agent has been successfully added and client key imported.

When I start the wazuh-agent service, I see a lot of disconnects in the ossec.log

2022/05/24 14:32:29 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/05/24 14:32:29 wazuh-agentd: ERROR: Connection socket: Connection reset by peer (104)
2022/05/24 14:32:29 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2022/05/24 14:32:29 wazuh-agentd: INFO: Closing connection to server (wazuh-manager:1514/tcp).
2022/05/24 14:32:29 wazuh-agentd: INFO: Trying to connect to server (wazuh-manager:1514/tcp).
2022/05/24 14:32:29 wazuh-agentd: WARNING: Process locked due to agent is offline. Waiting for connection...
2022/05/24 14:32:29 wazuh-agentd: INFO: (4102): Connected to the server (wazuh-manager:1514/tcp).
2022/05/24 14:32:29 wazuh-agentd: INFO: Server responded. Releasing lock.
2022/05/24 14:32:34 wazuh-agentd: INFO: Agent is now online. Process unlocked, continuing...
2022/05/24 14:32:34 wazuh-agentd: ERROR: Connection socket: Connection reset by peer (104)
2022/05/24 14:32:34 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2022/05/24 14:32:34 wazuh-agentd: INFO: Closing connection to server (wazuh-manager:1514/tcp).
2022/05/24 14:32:34 wazuh-agentd: INFO: Trying to connect to server (wazuh-manager:1514/tcp).
2022/05/24 14:32:34 wazuh-agentd: WARNING: Process locked due to agent is offline. Waiting for connection...

And on the manager side, I see this

2022/05/24 14:48:25 wazuh-remoted: WARNING: (1246): Unable to send file 'merged.mg' to agent ID '011'.
2022/05/24 14:48:35 wazuh-remoted: WARNING: (1246): Unable to send file 'merged.mg' to agent ID '011'.
2022/05/24 14:48:45 wazuh-remoted: WARNING: (1246): Unable to send file 'merged.mg' to agent ID '011'.
2022/05/24 14:48:56 wazuh-remoted: WARNING: (1246): Unable to send file 'merged.mg' to agent ID '011'.

Tried deleting the /var/ossec/etc/shared/default/merged.mg file on the manager side and restarting wazuh-manager, but that didn't help.

Completely blew away the agent install, removed /var/ossec, redid the install.  Same behavior.

Not really sure what else to try at this point.  The agent seems to connect, and even sends the SCA results, but then immediately disconnects, and retries again.  Same thing over and over.

Our manager only has 38 agents connected right now, so don't think it's overloaded.

Anyone have any advice on what I can look at to troubleshoot this further?

Thanks,

J

[Jay]

Turned out to be a firewall issue in between the 2 servers on our end.

J