I want to register a new VM in checkmk. Communication between the VM and the CMK instance is working, as I can see the host and services in the webinterface - but TLS is not used.
cmk-agent-ctl register --server monitoring.hostname --site monitoring --user <my user> --hostname $(hostname -f)
Attempting to register at monitoring.hostname, port 8000. Server certificate details:
And that’s it. If I abort this and try again a couple of times, I get to the password prompt. Then I get:
Caused by:
0: Calling registration endpoint failed
1: error sending request for url (https://monitoring.hostname:8000/monitoring/agent-receiver/register_existing)
2: operation timed out
I am not sure why this happens, as the communication channel is working in general (see above). Also, I can’t find anything in the logs. Any hints would be appreciated
The pattern you describe — curl works, but cmk-agent-ctl register hangs after showing the certificate and times out on /register_existing — points to a network-level issue affecting larger payloads, not a simple firewall block.
Here’s why: curl sends a small GET request that passes through fine. The register_existing endpoint receives a Certificate Signing Request (CSR) as the POST body, which is significantly larger. This classic asymmetry is the signature of a Path MTU Discovery (PMTUD) problem — large packets stall while small ones pass. This is especially common in VM environments.
Test for MTU issues first:
bash
ping -M do -s 1400 -c 3 monitoring.hostname # if this hangs...
ping -M do -s 1200 -c 3 monitoring.hostname # ...but this works → MTU problem
If confirmed, reduce the MTU on your Debian 13 VM:
bash
ip link set eth0 mtu 1400 # adjust interface name as needed
Also check the agent-receiver logs on the CMK server while attempting registration:
bash
tail -f ~/var/log/agent-receiver/error.log
If you see nothing in the logs during the timeout, the connection never reaches the agent-receiver — confirming a network-layer problem before the application.
If there’s a reverse proxy in front of monitoring.hostname, try connecting directly to the CMK server’s IP to rule that out:
The intermittent nature (sometimes gets to the password prompt, sometimes not) also fits MTU or connection-tracking state issues — the first small TLS exchange packet gets through on some attempts but not others depending on packet fragmentation handling.
