SSM Agent is not online. The SSM Agent was unable to connect to a Systems Manager endpoint to register itself with the service.
Hi, all. My ssm agent keep ofline still after activating EC2(Redhat 9.0). Another EC2(amazon Linux) set on same VPC, subnet, SG. This machine can set up ssm agent and keep online after activating machine. My Redhat image is RHEL-9.3.0_HVM-20240117-x86_64-49-Hourly2-GP3.
The error massage is below
SSM Agent is not online The SSM Agent was unable to connect to a Systems Manager endpoint to register itself with the service.
Verify that the IAM instance profile has the correct permissions. Verify that your instance's security group and VPC allow HTTPS (port 443) outbound traffic to the following Systems Manager endpoints: ssm.ap-northeast-1.amazonaws.com ec2messages.ap-northeast-1.amazonaws.com ssmmessages.ap-northeast-1.amazonaws.com If your VPC does not have internet access, you can use VPC endpoints to allow outbound traffic from your instance.
If you still can't connect to your instance, or if you receive an error, including an error about SSM Agent, see:
- Newest
- Most votes
- Most comments
Have you created an ssm related vpc endpoints:
- ssm.region.amazonaws.com
- ssmmessages.region.amazonaws.com
- ec2messages.region.amazonaws.com
and allowed security groups fir inbound/outbound?
Looks ok to me. Can you confirm that the SG on the VPC endpoints allow inbound TCP 443?
As a backup option, you may want to consider installing EC2 Instance connect for your private VPC
cd /tmp
curl -s -L -O https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect.rpm
curl -s -L -O https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-selinux.noarch.rpm
dnf install -y ./ec2-instance-connect.rpm ./ec2-instance-connect-selinux.noarch.rpm
You will need to create EC2 instance connect endpoint and ensure SG on your EC2 allows incoming SSH (TCP 22)
The article "Troubleshooting managed node issues in Systems Manager with SAW" could be a helpful resource for your issue. It covers a very similar problem of an EC2 instance not registering as a managed node in AWS Systems Manager.
The article walks through using the AWS Support Automation Workflow (SAW) runbook "AWSSupport-TroubleshootManagedInstance" to diagnose the root cause of the connectivity problem. This includes verifying IAM permissions, security group configurations, and network settings - all of which seem relevant to the issues you're experiencing with your RHEL 9.0 instance.
Beyond just the troubleshooting steps, the article also presents an architectural approach for automatically triggering this SAW-based analysis whenever new EC2 instances are launched. This proactive monitoring could be beneficial for preventing these types of Systems Manager issues from going unnoticed in the future.
The article provides sample code and a detailed walkthrough, so it could serve as a helpful reference if you wanted to implement a similar automated troubleshooting solution in your own environment. I'd recommend reviewing the information in this article, as it seems directly applicable to the problem you're facing with your RHEL 9.0 EC2 instance not registering as a managed node. The troubleshooting guidance and automated monitoring approach covered could provide valuable insights and a potential path forward.
The article "Why isn't Systems Manager showing my Amazon EC2 instance as a managed instance?" provides instructions on how to resolve an AWS Systems Manager Agent (SSM Agent) in most instances.
That article uses the AWSSupport-TroubleshootManagedInstance AWS Support Automation Workflow (SAW) runbook to troubleshoot and resolve the following errors: *Session Manager displays an "SSM Agent is not online. The SSM Agent was unable to connect to a Systems Manager endpoint to register itself with the service" error. *Fleet Manager, reports your instance's ping status as a "Connection Lost" error. *Fleet Manager doesn't list your instance.
It also includes instruction on how to use the AWS Command Line Interface (AWs CLI) to troubleshoot these errors.
If you don't want to use the AWS CLI, then it also lists detailed walkthroughs on how to manually troubleshoot an offline SSM Agent.
I hope this helps!
Relevant content
- asked 3 years ago
- asked 9 years ago
- asked 2 years ago
- published 3 years ago
Thanks for your help. As showing a picture on my question, I have already created an ssm related vpc endpoint.
I permitted vpc endpoint below com.amazonaws.ap-northeast-1.ssm com.amazonaws.ap-northeast-1.ec2messages com.amazonaws.ap-northeast-1.ssmmessages com.amazonaws.ap-northeast-1.s3(Gateway) com.amazonaws.ap-northeast-1.s3(IF)
And, I have already permitted SG for all in-bound request and out-bound request.(0.0.0.0/0) I also set another EC2(AmazonLinux) by this SG and this VPC endpoint, and I can connect another EC2. But, I cant connect redhat EC2 by same configure. ;;