Elastic Defend fails to reconnect with RPM agent, when RPM host is offline for a few hours and no new data for System integration. #8840
Description
Kibana Build details:
VERSION: 9.1.0 BC2
BUILD: 87800
COMMIT: bf32d85033f9db9a8b57c1b68b26f3f19f48f1a5
Artifact Link: https://staging.elastic.co/9.1.0-e7409ce7/downloads/beats/elastic-agent/elastic-agent-9.1.0-x86_64.rpm
Host OS: SLES-15
Preconditions:
- 9.1.0 BC2 Kibana cloud environment should be available.
- RPM agent is enrolled with System & Elastic Defend integration.
Steps to reproduce:
- Ensure the RPM agent is connected to Elastic Defend and data is flowing under System & Elastic Defend integration.
- Take the RPM host offline for several hours (e.g., 7-8+ hours).
- Bring the RPM host back online.
- Observe the Agent gets into orphaned state as Elastic Defend is not able to connect agent.
- Observe new data for Elastic Defend, however no new data for System integration.
Expected Result:
When the RPM host comes back online, Elastic Defend should automatically reconnect to the RPM agent, and System integration should resume data collection without issues.
Notes:
- The issue is reproducible consistently after prolonged offline periods.
- Issue is also reproducible for 9.0.3 rpm agent.
Screen Recordings:
Before host is offline:
ip-172-31-20-250.-.Agents.-.Fleet.-.Elastic.-.Google.Chrome.2025-07-03.19-04-39.mp4
After host is offline:
Agents.-.Fleet.-.Elastic.-.Google.Chrome.2025-07-04.10-47-41.mp4
Logs:
We are not able to collect logs with diagnostics command and hence we have manually collected the logs.
Agent JSON:
ip-172-31-20-250-agent-details.zip
elastic-agent.yml: