Duplicate name, agent enrollment rejected

[Miguel Moses]

Hello,

I'm having a challenge enrolling an agent to wazuh.

2022/05/13 15:12:16 wazuh-authd: INFO: Received request for a new agent (CBM-C02G81A6Q05Q) from: xxx.xxx.xxx.xxx

2022/05/13 15:12:16 wazuh-authd: WARNING: Duplicate name 'CBM-C02G81A6Q05Q', rejecting enrollment. Agent '987' key already exists on the manager.

So far I have performed the following:

1. Uninstalled the wazuh-agent from the endpoint 

2. Removed the agentid using the CLI, 

3. Reinstalled the agent the agent

I am still encountering the error message for the same host but with a new agentid.

[Miguel Angel Cazajous]

Hi Miguel,

Since Wazuh 4.2.2 the agent replacement behaves slightly differently than the previous version.

https://documentation.wazuh.com/current/release-notes/release-4-2-2.html#manager

We avoid a re-registration if the agent already has a valid key (as the message you are seeing explains)

In Wazuh 4.3 we added a configuration block to configure the force action.

Please take a look at this section of the documentation.

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html#force

The options are hidden by default and the one you may want to pay attention to is the key_mismatch.

This option when set as yes will only replace an agent when the agent has a different key than the manager. If you set this as no it will generate a new registration key.

I hope this helps. Regards!

[Geoff Nordli]

Hi Miguel.

I had similar issues once when the agent wasn't using the same
connection protocol.   Verify the agent and manager are using the same
(UDP or TCP) protocol.

[George Were]

Hi All,

I am also having challenge described by Miguel. Here is what i have done so far to troubleshoot:

1) Manager and agent are all running same version 4.3.1

2) I have included the enrollment tag on my agent just to give it a different registration name but still getting flagged as duplicate name

3) I have removed and purged the initial registered agent from manager via cli

4)Both are communication on TCP

P.S. I am running multi-tenant on docker with 1 wazuh server and 1 wazuh manager.

Please help with any further insight..:( .

Thanks

[Matias Pereyra]

Hi everyone!

weregeog, could you please upload the full ossec.log file from both agent and manager?

Because the agent logs will always report only a "duplicate name" message but the manager has more information about the cause (disconnection time, registration time, repeated key, etc.).

I think that the agent was successfully registered the first time but it is unable to connect with the manager. After a few failed attempts, it tries to re-register (just in case the communication failure is due to a key issue) but the manager rejects it: the agent only prints "duplicate name" and the manager may say something like "key already exists on the manager".

If this is the case, then both agent and manager share the same key and a re-registration isn't needed. 

If you change the agent's name in the enrollment section, the whole process will repeat again: it will receive the new key but after a few failed communication attempts, it will try to register again and it'll fail.

Can you check if your agent is able to reach the manager's 1514 port?

Regards.

[George Were]

Hi Matias,

Appreciate taking your time to attend to my case. Below are the snippet of both manager and agent. I can see the manager complaining about key already exists as per your advice. How can i remedy this. I am running in production hence the need to blur of some parts.

Yes it can reach the manager.

A little background story of how this came to happen. My initial install of wazuh manager got broken when i tried to upgrade so i got lazy and decided to just do a whole new setup for the updated version. Now when i came to this first machine i tried upgrading the agent but it failed so i uninstalled everything and installed a new upto date copy. when it came to connecting to the manager thats when it started complaining about the duplicate name even after deleting the initial registration

[Matias Pereyra]

Hi again!

Thank you for sharing the logs.
We can conclude that we have a communication issue here, not a registration one. See the "Network is unreachable" error message in the agent? The agent can't get to the manager, maybe it's connected to the wrong network interface.

When the agent is unable to communicate with the server it will try to register again automatically, just in case. And you see the message "key already exists in the manager" and that's correct because it's already registered. 

Please, run a ping command from the agent with the manager's IP to verify the connectivity. 
Is there any firewall or router in the middle of these hosts? Are you in a local network? Does the agent have more than one network interface?

Regards.

[George Were]

Hi Matias,

I don't think its a network or firewall issue.I am able to ping the manager without any issues see below stats

[Matias Pereyra]

Hi again!

Thank you for the tests you've performed.
Could you please upload the ossec.conf configuration file of both manager and agent so we can review them? Are both configured for TCP connections?

If the ping command was successful, then we are having another kind of network issue. It seems that the agent is unable to reach the manager in the 1514 port (communication) but it's able to reach the manager in the 1515 port (registration).
Have you tried to set directly the manager IP instead of the DNS in the agent's configuration file? So we can be sure there isn't a translation issue.

Also, please run these Netcat commands from the agent to check the ports in the manager

nc -zv MANAGER_DNS 1515 1514

nc -zv MANAGER_IP 1515 1514

Regards.

 

[valombre.d Delanhuyi]

Hi, i had similar problem on ubuntu mate 22.04 LTS agents (2 machines)
I tried uninstall (purge) agent ad re install same problem.

I tried to modified several time server side ossec.conf (auth/force section) restart manager, but didn't change anything still "ERROR: Duplicate agent name" and "INFO: Trying to connect to server (myserver.com:1514/tcp)."

I tried your nc -zv command they were OK

At the end i just changed the FQDN name in client side ossec.conf by myserver IP .. restart service and it works agent correctly registered ... 

Hope it could hep to focus the possible client bug.

Regards

[George Were]

Hi All,

I used @valombre's method and it worked. I also run Ubuntu mate 22.04 LTS.

[Matias Pereyra]

Thank you all for the tests and the information!

The agent connects to the manager properly only if the IP is set instead of FQDN.
It seems that we are facing here something similar to these situations

https://github.com/wazuh/wazuh/issues/13580
https://github.com/wazuh/wazuh/issues/13583
https://github.com/wazuh/wazuh/issues/13562

I apologize for any inconvenience, we'll solve this issue as soon as possible.
Regards.

[Matias Pereyra]

The last Wazuh release v4.3.3 has a fix for this situation

https://github.com/wazuh/wazuh/releases/tag/v4.3.3

Thank you all for the information provided.
Regards.