Hi all,
I’m troubleshooting an Elastic Endgame / SMP issue and wanted to check whether anyone has seen this before.
Environment:
-
SMP Platform 3.52.3
-
Generated Windows sensor version 3.65.2
-
Windows 10 fresh VM and also an older test VM
-
Transceiver set to
https://smp-platform
What happens:
-
Sensor package downloads successfully from SMP
-
Sensor installs successfully
-
esensorservice starts and stays running -
But during check-in, the sensor repeatedly sends:
GET /websocket HTTP/1.1
-
SMP/nginx responds with:
400 Bad Request
What we already tested:
-
Reproduced on two different Windows machines, including a brand-new VM
-
Hosts file and name resolution are correct
-
SMP certificate imported and HTTPS browsing to SMP works
-
Sensor binary download from SMP works
-
Nginx websocket proxy configuration was verified
-
We even temporarily relaxed
/websocketvalidation in nginx for testing, including:-
removing client-cert enforcement
-
forcing
Connection: Upgrade -
forcing
Upgrade: websocket -
forcing
Sec-WebSocket-Key/Sec-WebSocket-Version
-
-
Result still remained
400
Important observation:
-
The issue is not machine-specific, because the same behavior happens on a fresh VM with a fresh sensor profile
-
It looks like the sensor is not completing a valid websocket upgrade handshake, or there is some protocol mismatch between SMP 3.52.3 and the generated 3.65.2 sensor
Question:
Has anyone seen Endgame sensor installs succeed, but websocket check-in fail with repeated GET /websocket -> 400 on SMP 3.52.3?
Is there any known compatibility issue, required patch, or specific configuration for this scenario?
Thanks.