Agent Disconnection Issue After Snapshot

13 views
Skip to first unread message

Özlem

unread,
9:07 AM (14 hours ago) 9:07 AM
to Wazuh | Mailing List

Hello, I encountered the following issue and would like to ask for your assistance. Is there a way to resolve this without removing and reinstalling the agents, and what is the exact root cause of this problem?

  1. I encountered an error after using the wazuh-password-tool.sh tool to change all user passwords.

  2. In order to roll back the changes, I reverted the system to a snapshot that had been taken two hours earlier.

  3. Endpoints running agents version 4.7.1 were not affected; however, endpoints running agents version 4.11.2 started to appear as disconnected.

  4. I restarted all Wazuh services.

  5. I verified the client key numbers of the endpoints against the manager, and the keys for each agent match those on the manager.

  6. Network connectivity was checked and no issues were found.

7. Time synchronization was also verified, and no problems were detected; however, I was unable to find a solution.

8.The Wazuh version in use is v4.11.2.



Log on ossec logs on client:

2025/12/22 15:32:59 wazuh-agent: INFO: Requesting a key from server: manager-ip

2025/12/22 15:33:20 wazuh-agent: ERROR: (1208): Unable to connect to enrollment service at '[manager-ip]:1515'

2025/12/22 15:33:30 wazuh-agent: WARNING: (4101): Waiting for server reply (not started). Tried: 'manager-ip'. Ensure that the manager version is 'v4.11.2' or higher.

2025/12/22 15:33:30 wazuh-agent: WARNING: Unable to connect to any server.

2025/12/22 15:33:30 wazuh-agent: INFO: Trying to connect to server ([manager-ip]:1514/tcp).

2025/12/22 15:33:51 wazuh-agent: ERROR: (1216): Unable to connect to [manager-ip]:1514/tcp': 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.'.

  What steps should I take? Could you assist me with this issue?  


Carlos Ezequiel Bordon

unread,
9:54 AM (13 hours ago) 9:54 AM
to Wazuh | Mailing List

Hello, to continue troubleshooting, could you please share the complete log of the agent that's unable to connect?

Also, if you could share the commands you executed from the disconnected agents to the manager on both ports 1515 and 1514.

Furthermore, please also share the manager logs so we can check for any errors.

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

this command too

/var/ossec/bin/wazuh-control info

Reply all
Reply to author
Forward
0 new messages