Agent Safe Mode

When Tenable Agent experiences an error, the agent automatically enters safe mode. While the agent is in safe mode, it cannot compile plugins or run scans, but it maintains connection with Tenable Vulnerability Management so that your organization can see that an error occurred, work to remediate the error, and remotely recover the agent.

For a deeper explanation of agent safe mode, see Safe Mode in the Tenable Agent User Guide.

Note: Agents on an earlier version than 10.9.0 do not have safe mode capabilities.

When a linked agent enters safe mode, Tenable Vulnerability Management notifies you on the Sensors menu icon and the Nessus AgentsLinked Agents tab. The Linked Agents menu shows a banner describing how many agents are currently in safe mode, and each agent in safe mode is marked with Overall Health: Safe Mode in the Health column of the linked agents table.

To remediate and recover agents that are in safe mode, you can report agents that are in safe mode on connect.tenable.com for Tenable Support assistance, or you can use the Linked Agents menu to self-remediate.

Note:Tenable strongly recommends submitting a support ticket when one or more agents go into safe mode. Do this before attempting one of the following remediation actions and make sure to include a debug file for one of the agents that has entered safe mode. Doing so allows Tenable Support to identify the root cause of the issue and plan any fixes. Without a debug file, the root cause of the issue will remain unknown and unable to be addressed.

  1. Go to Sensors > Nessus Agents > Linked Agents.

  2. (Optional) Collect error details about the agent or agents by doing one of the following:

    • In the yellow safe mode banner, click Collect error details.

    • In the table row of one of the agents that are in safe mode, right-click or open the Actions menu, then select Collect error details.

    The Error Details window appears. Record the error details as needed.

  3. Copy the error output text to your clipboard.

  4. Go to connect.tenable.com and open a ticket. Be sure to include the error output text in the ticket description.

    Await instruction from Tenable Support.

Caution: If you choose to self-remediate without assistance from Tenable, Tenable highly recommends trying remediation methods on small subset of your agents before attempting them on large groups or all of your agents.

  1. Go to Sensors > Nessus Agents > Linked Agents.

  2. (Optional) View error details about the agent or agents by doing one of the following:

    • In the yellow safe mode banner, click Collect Error Details.

    • In the table row of one of the agents that are in safe mode, right-click or open the Actions menu, then select Collect Error Details.

    The Error Details window appears. Record the error details as needed.

  3. Attempt to remediate the issue using one of the following methods: restarting the agent, rebuilding or resetting the agent plugins, or upgrading/downgrading the agent version.

    Generally, the agent re-enters safe mode within 90 minutes of restarting the agent if the issue is not solved. If your remediation action fixed the issue, the agent exits safe mode and remains out of safe mode. If you cannot remediate the issue, follow the Report agents that are in safe mode steps.

Restart the agents

Restarting the agent can remediate the issue if a previously undiscovered bug caused the agent to enter safe mode. You can restart an agent by simply exiting safe mode in the Linked Agents menu.

To restart the agent:

  1. In the Linked Agents table, do one of the following:

    • To restart a single agent, click the button in the agent's row.

      An action menu appears.

    • To restart multiple agents, select the checkbox of each agent you want to restart. Then, in the table click More.

      An action menu appears.

  2. Click Exit Safe Mode.

    The Exit Safe Mode window appears.

  3. Click Confirm.

    The agent or agents restart and exit safe mode the next time they check in with Tenable Vulnerability Management, which may be up to 30 minutes after clicking Confirm.

Rebuild or reset the agent plugins

Rebuild or resetting the agent's plugins can remediate the issue if the agent enters safe mode after a plugin update.

Rebuilding agent plugins instructs the agent to locally rebuild its current plugin set. Resetting the agent plugins instructs the agent to download the latest plugins from Tenable Vulnerability Management and build them. Therefore, the plugin reset process may not complete until up to 12 hours later (the next time the agents connect with Tenable Vulnerability Management).

Once either process completes, the agent restarts and exits safe mode.

Generally, Tenable recommends attempting to rebuild agent plugins before attempting to reset agent plugins. This is because rebuilding plugins has a much smaller impact on network traffic.

Note: If you rebuild plugins on many agents in a shared host environment, you may notice a CPU usage spike in that environment. If you reset plugins on many agents, you may notice a significant CPU usage spike.

To rebuild or reset the agent plugins:

  1. In the Linked Agents table, do one of the following:

    • To restart a single agent, click the button in the agent's row.

      An action menu appears.

    • To restart multiple agents, select the checkbox of each agent you want to restart. Then, in the table click More.

      An action menu appears.

  2. Depending on the action you want to perform, click Rebuild Agent Plugins or Reset Agent Plugins.

    A confirmation window appears.

  3. Click Confirm.

    The agent or agents perform a plugin rebuild or plugin reset the next time they check in with Tenable Vulnerability Management, which may be up to 30 minutes after clicking Confirm.

Upgrade or downgrade the agent version

Upgrading or downgrading the agent can remediate the issue if a software version update caused the agent to enter safe mode. Once the upgrade or downgrade process is complete, the agent restarts and exits safe mode.

If you choose to upgrade or downgrade agents, the process may not complete until up to 12 hours later (the next time the agents connect with Tenable Vulnerability Management).