Add troubleshooting section for Elastic Agent automatic unenrollment on 401 errors (#4250)

Copilot · vishaangelova · web-flow · commit ade1c025904e · 2025-12-19T21:17:20.000Z
## Summary Adds documentation for Elastic Agent automatic unenrollment behavior when receiving 401 errors during check-in. In versions < 8.19.0 and < 9.1.0, agents are automatically unenrolled after 7 consecutive 401 failures. This behavior was removed in 8.19.0/9.1.0. **Changes:** - Added troubleshooting section "{{agent}} is automatically unenrolled after failed check-ins with 401 errors" to `troubleshoot/ingest/fleet/common-problems.md` - Updated table of contents with new section reference - Documented version-specific behavior for versions < 8.19.0 and < 9.1.0 - Provided resolution steps: re-enrollment process and investigating 401 error causes - Added version-gated admonition explaining behavior change in 8.19.0/9.1.0 - Listed common causes: expired API keys, misconfiguration, authentication issues ## Generative AI disclosure 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes - [ ] No 2. Tool(s) and model(s) used: GitHub Copilot  <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>[Website]: Add troubleshooting section about failed check-ins and 401</issue_title> > <issue_description>### Type of issue > > None > > ### What documentation page is affected > > https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems > > ### What happened? > > We should cover the situation that if an Elastic Agent in versions < 9.1.0 or 8.19.0 gets a 401 while checkin in for more than 7 times, it gets auto-unenrolled. > > This behavior has been changed on 9.1.0 and 8.19.0, removing the auto-unenrollment. > > ### Additional info > > _No response_</issue_description> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details>  - Fixes #3708  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> Co-authored-by: Visha Angelova <visha.angelova@elastic.co>
diff --git a/troubleshoot/ingest/fleet/common-problems.md b/troubleshoot/ingest/fleet/common-problems.md
@@ -54,6 +54,7 @@ Find troubleshooting information for {{fleet}}, {{fleet-server}}, and {{agent}}
 * [{{agent}} fails with `Agent process is not root/admin or validation failed` message](#process-not-root)
 * [Integration policy upgrade has too many conflicts](#upgrading-integration-too-many-conflicts)
 * [{{agent}} hangs while unenrolling](#agent-hangs-while-unenrolling)
+* [{{agent}} is automatically unenrolled after failed check-ins with 401 errors](#agent-auto-unenroll-401)
 * [On {{fleet-server}} startup, ERROR seen with `State changed to CRASHED: exited with code: 1`](#ca-cert-testing)
 * [Uninstalling {{elastic-endpoint}} fails](#endpoint-not-uninstalled-with-agent)
 * [API key is unauthorized to send telemetry to `.logs-endpoint.diagnostic.collection-*` indices](#endpoint-unauthorized)
@@ -531,6 +532,59 @@ You can unenroll an agent to invalidate all API keys related to the agent and ch
 3. Click **Force unenroll**.
 
 
+## {{agent}} is automatically unenrolled after failed check-ins with 401 errors [agent-auto-unenroll-401]
+
+In {{agent}} versions prior to 8.19.0 and 9.1.0, if an agent receives a 401 (Unauthorized) error on more than seven consecutive check-ins with {{fleet-server}}, the agent is automatically unenrolled.
+
+To resolve the issue:
+
+:::::{stepper}
+
+::::{step} Re-enroll the agent
+
+* If the agent is still installed on the host, re-enroll it in {{fleet}} to keep the agent's existing state, including any previously ingested data:
+
+   1. Open the **Agents** tab, then click **Add agent**.
+   2. In the **Add agent** flyout, select the agent policy in which to re-enroll the agent. 
+   3. In the **Authentication settings** section, select an enrollment token:
+
+      * If one or more active enrollment tokens exist for your agent policy, select one from the dropdown.
+      * If no active tokens exist, click **Create enrollment token**. For detailed instructions, refer to [Create enrollment tokens](/reference/fleet/fleet-enrollment-tokens.md#create-fleet-enrollment-tokens).
+   
+   4. Make sure **Enroll in Fleet** is selected.
+   5. Select the appropriate platform, then copy the `elastic-agent install` command from the UI, and replace `install` with `enroll`.
+   6. Run the modified command with elevated privileges from the directory where the agent is installed. For example:
+
+     ```bash
+     sudo ./elastic-agent enroll --url=<fleet-server-url> --enrollment-token=<token>
+     ```
+
+     Refer to the [command reference](/reference/fleet/agent-command-reference.md#elastic-agent-enroll-command) for details about the available options.
+
+* If the agent is no longer installed on the host, reinstall and enroll it in {{fleet}}. Refer to [Install {{fleet}}-managed {{agents}}](/reference/fleet/install-fleet-managed-elastic-agent.md) for detailed instructions.
+
+::::
+
+::::{step} Resolve the underlying issues
+
+Investigate the cause of the 401 errors and resolve the underlying issues to ensure proper agent functionality.
+
+401 errors during check-in typically indicate authentication or authorization problems. Common causes include:
+
+* Expired or revoked API keys
+* Incorrect {{fleet-server}} configuration
+* Issues with {{es}} authentication settings
+
+::::
+
+:::::
+
+:::{admonition} Agents are no longer automatically unenrolled
+:applies_to: stack: ga 9.1.0
+
+The automatic unenrollment behavior is removed in {{agent}} versions 8.19.0 and 9.1.0. Starting with these versions, {{agents}} are no longer automatically unenrolled due to repeated 401 errors during check-in. When the issue causing the errors is resolved, the agents automatically reconnect to {{fleet}} and resume ingesting data.
+:::
+
 ## On {{fleet-server}} startup, ERROR seen with `State changed to CRASHED: exited with code: 1` [ca-cert-testing]
 
 You may see this error message for a number of different reasons. A common reason is when attempting production-like usage and the ca.crt file passed in cannot be found.  To verify if this is the problem, bootstrap {{fleet-server}} without passing a ca.crt file. This implies you would test any subsequent {{agent}} installs temporarily with {{fleet-server}}'s own self-signed cert.
