Help Center> Host Security Service (New)> FAQs> Agent FAQs> What Do I Do If the HSS Upgrade Fails?
Updated on 2024-03-25 GMT+08:00

What Do I Do If the HSS Upgrade Fails?

About the Upgrade

  • Servers are displayed on both the old and new console of HSS, regardless of whether their agents have been upgraded. The server statuses are properly displayed on the console that you are using.
  • Agent upgrade is free of charge.
  • Before the upgrade, ensure the Agent Status is Online.
  • The upgrade does not affect the workloads on your cloud servers.
  • After the upgrade, the billing stops on the old console and starts on the new console.
  • After the upgrade, your servers will be protected by HSS (New).

How the Agent Is Upgraded

After you start agent upgrade on the HSS console, the system automatically uninstalls agent 1.0 and then installs agent 2.0.

  • On the old console, agent statuses during the upgrade are as follows:
    • Upgraded: The agent has been upgraded. You can go to the HSS (New) console to check the protection status.
    • Upgrading: The agent is being upgraded.
    • Upgrade failed: The agent failed to be upgraded.
  • On the new console, agent statuses during the upgrade are as follows:
    • Uninstalled: The target server has not installed an agent on the new console.
    • Online: The agent is running properly.
    • Offline: The agent communication is abnormal.

Possible Causes

After the automatic upgrade is complete, it takes 5 to 10 minutes for the agent status to be refreshed.

Possible causes for abnormal agent statuses are as follows:

  1. DNS resolution failure. The agent can be upgraded only through the intranet DNS resolution. Ensure the private DNS server address is correct.
  2. Access to port 10180 is restricted. The agent upgrade requires accessed to port 10180.
  3. The available memory of the server is insufficient. The agent upgrade occupies certain memory. If the available memory is less than 300 MB, the upgrade will be affected.
  4. Failed to obtain the metadata. To upgrade the agent, you need to obtain the ID, name, and region of the server.

Locating and Fixing the Problem

  • DNS Resolution Failure
    • Troubleshooting Procedure
      1. Use a remote management tool, such as SecureFX or WinSCP, to log in to the server.
      2. Run the following command to check the private DNS address of the server:

        cat /etc/resolv.conf

      3. Make a note of the DNS address and region of the server and check whether they are correct. For details, see Private DNS Server Address.
      4. If your region and DNS server address match, the problem was not caused by DNS resolution. In this case, check for other causes.

        If your region and DNS server address do not match, the problem was caused by a DNS resolution failure.

    • Solution

      Check whether your services will be affected if the private DNS server address configured on the server is changed.

      • If your services will not be affected by the address change, correct the private DNS server address and retry the upgrade. For details, see Changing the Private DNS Server Address.
      • If your services will be affected by the address change, create the mapping between your server name and the current IP address, and retry the upgrade. Perform the following steps:
        1. Log in to your cloud server.
        2. Run the following command to switch to user root:

          sudo su -

        3. Run the following command to edit the hosts configuration file:

          vi /etc/hosts

        4. Press i to enter the editing mode.
        5. Add statements in the following format:

          Private_IP_address Hostname

          [Example]

          192.168.0.1 hostname01

          192.168.0.2 hostname02

        6. Press Esc to exit the editing mode.
        7. Run the following command to save the configuration and exit:

          :wq

  • Restricted Access to Port 10180
    Ensure the server where the agent is to be installed or upgraded can communicate with the network segment. The security group of your server must allow outbound access to port 10180 on the 100.125.X.X/16 network segment.
    • Troubleshooting Procedure
      1. In the upper left corner of the page, select a region, click , and choose Compute > Elastic Cloud Server.
      2. Click the name of the server. On the server details page that is displayed, click the Security Groups tab.
      3. Click the Outbound Rules tab and check whether port 10180 is specified in the deny policy.
        1. If it is not specified, the problem was not caused by port access restriction.
        2. If it is specified, the problem was caused by port access restriction.
    • Solution

      Allow access to the port. For details, see step 8 in Configuring Security Group Rules.

  • The available memory is insufficient.
    • Troubleshooting Procedure
      • Linux
        1. Use a remote management tool, such as SecureFX or WinSCP, to log in to the server.
        2. Run the following command to check the memory usage of the server:

          free -m

        3. Check the value of free in the command output, as shown in Figure 1.
          If the value of available is smaller than 300, the memory is insufficient.
          Figure 1 Querying the memory
      • Windows
        1. Use a remote management tool, such as mstsc and RDP, to log in to the server.
        2. Open the Task Manager.
        3. Choose Performance > Memory, and view the available memory on the Memory page.

          If the available memory is less than 300 MB, the memory is insufficient.

    • Solution
  • Failure to Obtain Metadata

Agent FAQs FAQs

more