|
| 1 | +--- |
| 2 | +layout: src/layouts/Default.astro |
| 3 | +pubDate: 2025-08-28 |
| 4 | +modDate: 2025-08-28 |
| 5 | +title: Troubleshooting Polling Tentacles |
| 6 | +description: How to troubleshoot problems with Octopus Polling Tentacles. |
| 7 | +navOrder: 20 |
| 8 | +--- |
| 9 | + |
| 10 | +import TentacleConnectionsCheck from 'src/shared-content/infrastructure/tentacle-connection-check.include.md'; |
| 11 | +import TentaclePing from 'src/shared-content/infrastructure/tentacle-ping.include.md'; |
| 12 | +import TentacleFixes from 'src/shared-content/infrastructure/tentacle-general-fixes.include.md'; |
| 13 | +import TentacleUninstall from 'src/shared-content/infrastructure/tentacle-uninstall.include.md'; |
| 14 | + |
| 15 | +## Communication settings |
| 16 | + |
| 17 | +To verify the communication settings, *On the Tentacle machine*, open the Tentacle Manager application from the Start screen or Start menu. |
| 18 | + |
| 19 | +1. Ensure that the Tentacle is in *polling* mode. |
| 20 | +Below the thumbprint, you should see the text *This Tentacle polls the Octopus Server...*. |
| 21 | +2. Check the port that the Tentacle polls the Octopus Server on. |
| 22 | +3. Check that the **Octopus Server** thumbprint shown in light gray in the Tentacle manager matches the one shown in the **Configuration ➜ Thumbprints** screen in the Octopus Web Portal. |
| 23 | + |
| 24 | +Note, that there are two thumbprints displayed - that of the Tentacle itself (shown first in bold) and the thumbprints of trusted servers (shown inline in the gray text). |
| 25 | + |
| 26 | +If any of the communications settings are incorrect, choose *Delete this Tentacle instance...*. After doing so, you'll be presented with the Tentacle installation wizard, where the correct settings can be chosen. If the settings are correct, continue to next step. |
| 27 | + |
| 28 | +## Check the connections |
| 29 | + |
| 30 | +<TentacleConnectionsCheck /> |
| 31 | +:::div{.hint} |
| 32 | +Octopus Cloud instances have HSTS enabled so it will be impossible to bypass the "Your connection is not private" warning. |
| 33 | +::: |
| 34 | + |
| 35 | +*On the Octopus Server machine*, open a web browser and navigate to `https://localhost:10943` (or your chosen Tentacle communications port if it isn't the default). Make sure an **HTTPS** URL is used. |
| 36 | + |
| 37 | +The page shown should look like the one below. |
| 38 | + |
| 39 | +:::figure |
| 40 | + |
| 41 | +::: |
| 42 | + |
| 43 | +If you've made it this far, good news! Your Octopus Server is running and ready to accept inbound connections from Polling Tentacles. |
| 44 | + |
| 45 | +:::div{.hint} |
| 46 | +**If you can't browse to the page...** |
| 47 | +If this is where your journey ends, there's a problem on the Octopus Server machine itself. It is very likely that the Octopus Server is unable to open the communications port, either because of permissions, or because another process is listening on that port. Using the Windows `netstat -o -n -a -b` command can help to get to the bottom of this quickly. If you can see connections being opened and immediately closed (`CLOSE_WAIT` state in `netstat` output) from the same *Foreign Address*, it might indicate that this server is blocking traffic from the communications port and therefore resetting the connection immediately. Check both the built-in Windows Firewall, and any other firewalls (in Amazon EC2, check your security group settings for example) on the server identified by the **Foreign Address** in `netstat` and make sure that the communications port isn't being blocked. You can also use [Wireshark](https://www.wireshark.org/) to inspect traffic that is coming in on the Octopus Server communications port to find any connections that are being immediately reset by starting a network capture and filtering the traffic by `tcp.port == 10943` (or your chosen Tentacle communications port if it isn't the default), this should identify any incoming requests that gets reset immediately. |
| 48 | + |
| 49 | +If you're still in trouble, check the Octopus Server [log files](/docs/support/log-files) and contact Octopus Deploy support. |
| 50 | +::: |
| 51 | + |
| 52 | +Next, repeat the process of connecting to the Octopus Server with a web browser, but do this *from the Tentacle machine*. |
| 53 | + |
| 54 | +When forming the URL to check: |
| 55 | + |
| 56 | +- First try using the Octopus Server's DNS hostname, e.g. `https://my-octopus:10943`. |
| 57 | +- If this fails, try using the Octopus Server's IP address instead, e.g. `https://1.2.3.4:10943` - success using the IP address but not the DNS hostname will indicate a DNS issue. |
| 58 | + |
| 59 | +**If you can't connect...** |
| 60 | +Failing to connect at this step means that you have a network issue preventing traffic between the Tentacles and Octopus Server. Check that the Octopus Server polling port is open in any firewalls, and that other services on the network are working. There's not usually much that Octopus Deploy Support can suggest for these issues as networks are complex and highly varied. Having the network administrator from your organization help diagnose the issue is the best first step. If that draws a blank, please get in touch. |
| 61 | + |
| 62 | +Remember to check both the built-in Windows Firewall, and any other firewalls (in Amazon EC2, check your security group settings for example). |
| 63 | + |
| 64 | +If the Tentacle welcome page is shown, good news - your network is fine. |
| 65 | + |
| 66 | +:::div{.problem} |
| 67 | + |
| 68 | +**Watch out for proxy servers or SSL offloading...** |
| 69 | +Octopus and Tentacle use TCP to communicate, with special handling to enable web browsers to connect for diagnostic purposes. Full HTTP is not supported, so network services like **SSL offloading** are not supported, and **proxies** are not supported in earlier versions of Octopus Deploy. Make sure there's a direct connection between the Octopus Server and Tentacle, without an HTTP proxy or a network appliance performing SSL offloading in between. |
| 70 | + |
| 71 | +Also see, [advanced support for HTTP proxies](/docs/infrastructure/deployment-targets/proxy-support). |
| 72 | +::: |
| 73 | + |
| 74 | +## Tentacle ping |
| 75 | + |
| 76 | +<TentaclePing /> |
| 77 | + |
| 78 | +- Run **TentaclePing** on your Tentacle machine (which is the client in this relationship). |
| 79 | +- Run **TentaclePong** on your Octopus Server machine (which is the server in this relationship). |
| 80 | + |
| 81 | +Use the output to help diagnose what is going wrong. |
| 82 | + |
| 83 | +<TentacleFixes /> |
| 84 | + |
| 85 | +## Check the server service account permissions |
| 86 | + |
| 87 | +For polling Tentacles we need to check the Octopus Server is running as the *Local System* account. If it is, you can skip this section. |
| 88 | + |
| 89 | +If the Octopus Server is running as a specific user, make sure that the user has "full control" permission to the *Octopus Home* folder on the machine. This is usually `C:\Octopus` - apply permissions recursively. |
| 90 | + |
| 91 | +## Check the load time |
| 92 | + |
| 93 | +In some DMZ-style environments without Internet access, failing to disable Windows code signing certificate revocation list checking will cause Windows to pause during loading of the Octopus applications and installers. This can have a significant negative performance impact, which may prevent Octopus and Tentacles connecting. |
| 94 | + |
| 95 | +To test this for a polling Tentacle, on the Octopus Server, run: |
| 96 | + |
| 97 | +```powershell |
| 98 | +Octopus.Server.exe help |
| 99 | +``` |
| 100 | + |
| 101 | +If the command help is not displayed immediately (< 1s) you may need to consider disabling the CRL check while the Octopus Server is configured. |
| 102 | + |
| 103 | +To do this open **Control Panel ➜ Internet Options ➜ Advanced**, and uncheck the *Check for publisher's certificate revocation* option as shown below. |
| 104 | + |
| 105 | +:::figure |
| 106 | + |
| 107 | +::: |
| 108 | + |
| 109 | +<TentacleUninstall /> |
0 commit comments