Troubleshoot firewalls blocking Elastic Agent
ECK ECE Self-Managed
If you are running into issues connecting your cluster to AutoOps, a corporate firewall might be blocking Elastic Agent.
There are three main components of Elastic Agent's connection with your system:
- Elastic Agent connects to your ECE, ECK, or self-managed Elasticsearch cluster.
- The agent registers your cluster with Elastic Cloud using the Cloud Connect API.
- The agent begins to send metrics from your cluster to AutoOps in your selected CSP region.
The following subsections describe how to test each of these components to find out where the problem lies, and then implement an appropriate solution.
Run the following tests within the context of your execution environment. That is, if your chosen installation method is Kubernetes, run the commands from within the pod; for Docker, run the commands from within the container, and so on.
If there is an issue with the first component, Elastic Agent cannot connect to your cluster.
To test if your organization is not allowing this connection, run the following command depending on your chosen authentication method:
curl -XGET -i $AUTOOPS_ES_URL \ -H "Authorization: ApiKey $AUTOOPS_ES_API_KEY" curl -XGET -i $AUTOOPS_ES_URL \ -u $AUTOOPS_ES_USERNAME The command returns a response similar to the following:
{ "name" : "1c72f00a6195", "cluster_name" : "my-ccm-cluster", "cluster_uuid" : "2O_EjO6kTR6AEVYwL5fPEw", "version" : { "number" : "9.1.3", "build_flavor" : "default", "build_type" : "docker", "build_hash" : "0c781091a2f57de895a73a1391ff8426c0153c8d", "build_date" : "2025-08-24T22:05:04.526302670Z", "build_snapshot" : false, "lucene_version" : "10.2.2", "minimum_wire_compatibility_version" : "8.19.0", "minimum_index_compatibility_version" : "8.0.0" }, "tagline" : "You Know, for Search" } If you do not receive a similar response, your system returns an error indicating one or more reasons for the failure as outlined in the following table. Use the corresponding proposed solution to fix the issue.
| Reason for failure | Proposed solution |
|---|---|
| The Elasticsearch endpoint URL you specified is incorrect/not reachable | - Make sure you are using the correct protocol in the cluster URL:http or https. - Make sure you are providing the correct port. The default port is 9200. - If you have verified that the URL is correct, your network team might need to open the firewall to allow-list this URL. |
| Your API key is incorrect | - Recheck for typos. - If your cluster is on versions 9.1.0 through 9.1.3, ensure that you have the base64-decoded version of the key by running the following command: echo $AUTOOPS_ES_API_KEY | base64 -d If your key has a colon (:), it is not base64 encoded. If your key has an equal sign (=), it is base64 coded. For versions 9.1.4 and above, both formats work. |
| Your username or password is incorrect | - Recheck for typos. - Ensure that your provided user has the necessary privileges. We do not recommend providing a privileged superuser like elastic for this purpose. |
| You are providing both the API key and username/password | Choose one type of authentication only. |
| A proxy is blocking communication with your Elasticsearch cluster | You might have to configure NO_PROXY. |
| You are using a custom SSL/TLS configuration with Elasticsearch | Disable SSL/TLS verification so that your system trusts all certificates. We do not recommend disabling verification in production environments. If you are using API key authentication, run the following command: curl -XGET --insecure -i $AUTOOPS_ES_URL \ -H "Authorization: ApiKey $AUTOOPS_ES_API_KEY". If you are using username/password authentication, run the following command: curl -XGET --insecure -i $AUTOOPS_ES_URL \ -u $AUTOOPS_ES_USERNAME If the issue is resolved, you need to configure your custom SSL/TLS settings with Elastic Agent. If the issue persists, contact Elastic support. |
You are connecting a local development cluster using Docker without specifying --network host | - Make sure you are following all the steps to connect your local development cluster to AutoOps. - In the Install agent step, make sure you are replacing docker run -d \ with docker run -d --network host \. |
If there is an issue with the second component, the agent stops working and your logs might show the following error:
... failed to register Cloud Connected Mode: ... Post \"https://api.elastic-cloud.com/api/v1/cloud-connected/clusters\": ... To test if your organization is not allowing the agent to register your cluster with Elastic Cloud, run the following command:
curl -XPOST -i \ https://api.elastic-cloud.com/api/v1/cloud-connected/clusters \ -H 'Content-Type: application/json' \ -d '{"self_managed_cluster": {"id": "my-cluster-uuid", "name": "my-cluster-name", "version": "9.1.0"}, "license": {"uid": "my-license-id", "type": "basic"}}' The command should return an HTTP 401 response:
{"UnauthorizedMessages":["Invalid credential headers"],"Cause":null} If you do not receive a similar response, configure your HTTP proxy to allow it to reach the URL (with headers and a JSON body):
POST https://api.elastic-cloud.com/api/v1/cloud-connected/clusters If you are using Docker, you might need to complete this configuration directly using the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables.
If there is an issue with the third component, the agent attempts to establish the connection and your logs might show the following error:
... Exporting failed. Dropping data. ... no more retries left: failed to make an HTTP request: Post \"https://otel-collector.auto-ops.eu-west-1.aws.cloud.elastic.co:4318/v1/logs\": ... To test if your organization is not allowing the agent to send metrics from your cluster to Elastic Cloud, run the following command. The command uses AWS eu-west-1 as the CSP (cloud service provider) region, but you should replace it with your chosen CSP region before running the command.
curl -XPOST -i \ https://otel-collector.auto-ops.eu-west-1.aws.cloud.elastic.co:4318/v1/logs \ -H 'Content-Type: application/json' The command should return an HTTP 401 response:
{"code":16,"message":"no auth provided"} If you do not receive a similar response, configure your HTTP proxy to allow it to reach the URL (with headers and an arbitrary body):
POST https://otel-collector.auto-ops.${REGION}.${CSP}.cloud.elastic.co:4318/v1/logs If you are using Docker, you might need to complete this configuration directly using the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables.