Can't connect Windows agent to Master

Hello everyone, I would like to open up a new network and monitor the Windows servers there with agents that communicate directly to my master.

The networks are connected via a site to site tunnel. I can ping my master on the host and the port for Icinga is enabled on the server. However, I cannot connect to the master.

I went through the following steps until I got the error:

  1. icinga2 pki ticket --cn server.agent.lan (on my master instance)
  2. Set the Instance Name and the Ticket Number
  3. Now Comes the error
Running command 'icinga2.exe pki save-cert --host "" --port "5665" --key "C:\ProgramData\icinga2\etc\icinga2\pki\server.agent.lan.key" --cert "C:\ProgramData\icinga2\etc\icinga2\pki\server.agent.lan.crt" --trustedcert "C:\Users\Administrator.ADMIN\AppData\Local\Temp\2\tmpAA37.tmp"' produced the following output:
information/cli: Retrieving X.509 certificate for ''.
critical/TcpSocket: Invalid socket: 10060, "A connection attempt failed because the remote station did not respond properly after a certain period of time, or the established connection was faulty because the connected host did not respond."
critical/pki: Cannot connect to host '' on port '5665'
critical/cli: Failed to fetch certificate from host.

I hope you have a good tip for me, because I don’t know what to do anymore :slight_smile:

  1. use chrome on a windows maschine and connect to https://ip-of-icinga-master:5665
  2. use chrome on a windows maschine and connect to

if there is a certificate error just start typing thisisunsafe
if there you can reach a login promt icinga api is available, which is necessary talk to icinga-master
after that we will see if you can even reach icinga-master api through vpn

1 Like

Thank you for your support. I do not receive the web interface. A tracert showed that the hops end at my mx entry.

In the other network there is already an agent installed which communicates to the master on this server but the interface is not reachable either. :slight_smile:

What do you mean with mx entry? Are you trying to connect to mail mail server?

What vpn do you use? You can setup client based rules, Maybe your other agent is allowed to access 5665 on icinga-master.

In order to get the certificate signed icinga-client has to be able to connect to icinga master on port 5665.
reach out to whomever set up your vpn to make this happen. i would also suggest to use ip based connection, so you dont have to setup a split dns for your vpn for and your connection is only routed through vpn

1 Like

Hello, thank you very much I’ll have to have a look. On the agent server the port is allowed. Also with the master IP a connection is unfortunately not possible. I will get back to you as soon as I know something new.

Hey @moreamazingnick ,

I am now ready for the host to ping the master.
I did the setup of the agent manually and was able to install it manually. The Icinga agent now says Running. However, the host status in icinga is still down.

Do you have any idea where I should look or what I can do now?

Best regards!

you most likely need to allow icinga-master to ping your agent.(Firewall rule/ VPN / windows )

the check command for the host /hosttemplate decides if a host is down or not. you are most likely using check ping or hostalive, which is also check ping.

or you change the check command for the host/hosttemplate to dummy than the agent is always “up”