SSM Agent is not online. The SSM Agent was unable to connect to a Systems Manager endpoint to register itself with the service.

1

Hi, all. My ssm agent keep ofline still after activating EC2(Redhat 9.0). Another EC2(amazon Linux) set on same VPC, subnet, SG. This machine can set up ssm agent and keep online after activating machine. My Redhat image is RHEL-9.3.0_HVM-20240117-x86_64-49-Hourly2-GP3.

The error massage is below

SSM Agent is not online The SSM Agent was unable to connect to a Systems Manager endpoint to register itself with the service.

Verify that the IAM instance profile has the correct permissions. Verify that your instance's security group and VPC allow HTTPS (port 443) outbound traffic to the following Systems Manager endpoints: ssm.ap-northeast-1.amazonaws.com ec2messages.ap-northeast-1.amazonaws.com ssmmessages.ap-northeast-1.amazonaws.com If your VPC does not have internet access, you can use VPC endpoints to allow outbound traffic from your instance.

If you still can't connect to your instance, or if you receive an error, including an error about SSM Agent, see: ここに画像の説明を入力してください

Tomo
asked 6 months ago45665 views
3 Answers
0

Have you created an ssm related vpc endpoints:

  • ssm.region.amazonaws.com
  • ssmmessages.region.amazonaws.com
  • ec2messages.region.amazonaws.com

and allowed security groups fir inbound/outbound?

profile picture
EXPERT
answered 6 months ago
  • Thanks for your help. As showing a picture on my question, I have already created an ssm related vpc endpoint.

    I permitted vpc endpoint below com.amazonaws.ap-northeast-1.ssm com.amazonaws.ap-northeast-1.ec2messages com.amazonaws.ap-northeast-1.ssmmessages com.amazonaws.ap-northeast-1.s3(Gateway) com.amazonaws.ap-northeast-1.s3(IF)

    And, I have already permitted SG for all in-bound request and out-bound request.(0.0.0.0/0) I also set another EC2(AmazonLinux) by this SG and this VPC endpoint, and I can connect another EC2. But, I cant connect redhat EC2 by same configure. ;;

0

Looks ok to me. Can you confirm that the SG on the VPC endpoints allow inbound TCP 443?

As a backup option, you may want to consider installing EC2 Instance connect for your private VPC

cd /tmp
curl -s -L -O https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect.rpm
curl -s -L -O https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-selinux.noarch.rpm
dnf install -y ./ec2-instance-connect.rpm ./ec2-instance-connect-selinux.noarch.rpm

You will need to create EC2 instance connect endpoint and ensure SG on your EC2 allows incoming SSH (TCP 22)

AWS
EXPERT
MikeLim
answered 6 months ago
0

The article "Troubleshooting managed node issues in Systems Manager with SAW" could be a helpful resource for your issue. It covers a very similar problem of an EC2 instance not registering as a managed node in AWS Systems Manager.

The article walks through using the AWS Support Automation Workflow (SAW) runbook "AWSSupport-TroubleshootManagedInstance" to diagnose the root cause of the connectivity problem. This includes verifying IAM permissions, security group configurations, and network settings - all of which seem relevant to the issues you're experiencing with your RHEL 9.0 instance.

Beyond just the troubleshooting steps, the article also presents an architectural approach for automatically triggering this SAW-based analysis whenever new EC2 instances are launched. This proactive monitoring could be beneficial for preventing these types of Systems Manager issues from going unnoticed in the future.

The article provides sample code and a detailed walkthrough, so it could serve as a helpful reference if you wanted to implement a similar automated troubleshooting solution in your own environment. I'd recommend reviewing the information in this article, as it seems directly applicable to the problem you're facing with your RHEL 9.0 EC2 instance not registering as a managed node. The troubleshooting guidance and automated monitoring approach covered could provide valuable insights and a potential path forward.

profile pictureAWS
EXPERT
answered 3 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions