Upgraded to 4.13.1, now all agents can't connect due to "agents duplicated"
Daniel
2025/09/30 12:57:59 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:57:59 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2025/09/30 12:57:59 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:57:59 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:57:59 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:57:59 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '020' has not been disconnected long enough to be replaced.
2025/09/30 12:57:59 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:57:59 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '025' has not been disconnected long enough to be replaced.
2025/09/30 12:58:00 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:58:00 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:58:00 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '023' has not been disconnected long enough to be replaced.
2025/09/30 12:58:00 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:58:00 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:58:00 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '017' has not been disconnected long enough to be replaced.
2025/09/30 12:58:00 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:58:00 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:58:00 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '014' has not been disconnected long enough to be replaced.
2025/09/30 12:58:00 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:58:00 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:58:00 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '019' has not been disconnected long enough to be replaced.
2025/09/30 12:58:01 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:58:01 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:58:01 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '021' has not been disconnected long enough to be replaced.
2025/09/30 12:58:01 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:58:01 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:58:01 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '024' has not been disconnected long enough to be replaced.
2025/09/30 12:58:01 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:58:01 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:58:01 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '026' has not been disconnected long enough to be replaced.
2025/09/30 12:58:18 wazuh-authd: INFO: New connection from REDACTED
2025/09/30 12:58:18 wazuh-authd: INFO: Received request for a new agent (REDACTED) from: REDACTED
2025/09/30 12:58:18 wazuh-authd: WARNING: Duplicate name 'REDACTED', rejecting enrollment. Agent '033' key already exists on the manager.
victor....@wazuh.com
Hello Daniel,
The warnings indicate that multiple agents are attempting to register with the manager using a name that is already in use.
By default, the manager rejects re-enrollment attempts from agents that have been registered but remain in a disconnected state for less than one hour. You can find more details in the Wazuh Manager documentation.
In practice, this means the new agent is trying to replace an existing one, but since the previous agent hasn’t been disconnected long enough, the registration request is blocked. This situation can arise for several reasons:
Scenario 1: Agent reconnection issues
When an agent fails to connect multiple times, it may attempt to generate a new key. This behavior is part of the auto-enrollment feature.
The Wazuh agent is designed to run continuously. If it disconnects from the manager (port 1514, remoted), it will repeatedly try to reconnect. After a while, if the agent assumes its key is invalid, it will attempt to re-enroll.
However, in this scenario, the server rejects the request because the agent is already registered.
To resolve the issue- Check agent status: Identify which agents are affected and currently disconnected. Monitor if the warning persists after 1 hour, since some agents may successfully reconnect and re-register on their own.
- Restart the affected agents: If the warnings remain after waiting, restart the disconnected agents and check if they reconnect properly.
- Use temporary force options: If restarts do not solve the issue, adjust the force options in the Wazuh configuration. For example, you can temporarily set the disconnected_time option to 5 minutes. This allows agents that have been disconnected for at least 5 minutes to automatically re-enroll, replacing old keys
- Remove and re-register agents: If none of the above steps work and the warnings persist:
- Stop the affected agents.
- Remove them using the Wazuh API.
- Delete their old client keys file.
- Re-register and restart the agents.
Scenario 2: Multiple agents with the same name
If you are enrolling many new agents that share the same name as ones already registered on the server, these warnings are expected. The best solution is to configure unique names for each agent. See the documentation here: https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/linux-endpoint.html
If the error persists, please share the ossec.log file from your manager and from one of your agents, and we will analyze them and provide us the following information
- Could you also describe the process you follow when upgrading your stack?
- From which version did you upgrade?
- Is your stack multi-node or single-node?
Daniel
victor....@wazuh.com
To determine exactly what happened, we will need the following logs:
- The ossec.log from one of the affected agents.
- The worker and master node logs.
- The cluster.log file from both the worker and master node.
This situation is not expected under normal conditions.
Without more detailed information about the specific tasks performed during your upgrade, we can only speculate. The following is just a theory of what could have happened, not a confirmed explanation:
- The worker node may have gone down during the upgrade. If load balancing or failover was configured, the agent would have attempted to connect to another worker or master node.
- If the manager also went down (due to upgrade or maintenance), agents might attempt to request new keys, assuming their current keys are invalid.
- When the server is restarted after being offline for an hour or more, agents will request new keys. With forced configuration, the server will replace all of them due to the downtime.
- If the worker node is started before the new client keys are synchronized, and agents connect to the worker, their registration requests will be forwarded to the server node, triggering the warning messages you observed.
In principle, client keys should eventually synchronize, and the issue should resolve itself, so this behavior could indicate something unexpected.
Please provide the requested logs and additional details so we can determine exactly what occurred in your environment.