Icinga2 client problem on cloned VM

Hello everyone. For several years i am using icinga2 stack for monitoring servers and noticed incorrect behavior for a while now but only today settled to write about it here \ ask possible solution.

Sometimes there is a need to clone existing virtual machine which is already monitored by icinga2 agent and it works as it should but problem arises when i boot up cloned virtual machine. now both original VM’s agent and new cloned one send same data and icinga2 server aggregates both under original host. after that i have flapping status of ssh, apt, http … on original VM’s services. my assumption is that icinga2 server accepts any input if has handshake with agent (original VM’s key is signed with icinga2 ca sign command ) even tho new source had different ip address. for me expected behavior is failed handshake if host has either different host name or ip address other than that specified in icinga2 servers configuration (for configuring i use icinga director).
my question is can i somehow enforce\configure icinga2 server to further check and restrict that it communicates with originally configured agent other than having signed certificate?

to reproduce this problem you need VM which is already monitored by icinga2 and clone it. new VM should have same network access with icinga2 server (bidirectional port 5665 tcp).
PS: i have “establish connection” on yes in icinga director > host > icinga agent and zone settings

I think there is no way, as the endpointname needs to be unique. But it would be good if the cluster check detects this as warning. I simply shut down the agent before cloning, as the zones needed to be configured anyway after clonig.

i agree it is not deal braking problem just sometimes i forget to disable agent when cloning and after some time when i encounter problem it is kinda late cause i cant really remember and easily find cloned VM among other hundred and begins witch hunt :smiley: