Troubleshooting Listening Tentacles

Communication settings

To verify the communication settings, On the Tentacle machine, open the Tentacle Manager application from the Start screen or Start menu.

1. Ensure that the Tentacle is in listening mode. Below the thumbprint, you should see the text This Tentacles listens for connections on port 10933.
2. Check the port that the Tentacle listens on.
3. Check that the Octopus Server thumbprint shown in light gray in the Tentacle manager matches the one shown in the Configuration ➜ Thumbprints screen in the Octopus Web Portal.

Note, that there are two thumbprints displayed - that of the Tentacle itself (shown first in bold) and the thumbprints of trusted servers (shown inline in the gray text).

If any of the communications settings are incorrect, choose Delete this Tentacle instance…. After doing so, you’ll be presented with the Tentacle installation wizard, where the correct settings can be chosen. If the settings are correct, continue to next step.

Check the connections

To help with diagnostics, we’ve include a welcome page you can connect to from your web browser.

When you conduct these checks:

• If you’re presented with a prompt to “confirm a certificate” or “select a certificate” choose “Cancel” - don’t provide one.
• If you’re presented with a warning about the invalidity of the site’s certificate, “continue to the site” or “add an exception” (Octopus Server uses a self-signed certificate by default).

On the Tentacle machine, open a web browser and navigate to https://localhost:10933 (or your chosen Tentacle communications port if it isn’t the default). Make sure you use an HTTPS URL is used.

The page shown should look like the one below.

Next, repeat the process of connecting to the Tentacle with a web browser, but do this from the Octopus Server machine.

When forming the URL to check:

• First try using the Tentacle’s DNS hostname, e.g. https://my-tentacle:10933.
• If this fails, try using the Tentacle’s IP address instead, e.g. https://1.2.3.4:10933 - success using the IP address but not the DNS hostname will indicate a DNS issue.

If you can’t connect… Failing to connect at this step means that you have a network issue preventing traffic between the Octopus Server and Tentacles. Check that the Tentacle port is open in any firewalls, and that other services on the network are working. There’s not usually much that Octopus Deploy Support can suggest for these issues as networks are complex and highly varied. Having the network administrator from your organization help diagnose the issue is the best first step. If that draws a blank, please get in touch.

Remember to check both the built-in Windows Firewall, and any other firewalls (in Amazon EC2, check your security group settings for example).

Tentacle ping

We have built a small utility for testing the communications protocol between two servers called Tentacle Ping. This tool helps isolate the source of communication problems without needing a full Octopus configuration. It is built as a simple client and server component that emulates the communications protocol used by Octopus Server and Tentacle.

In Octopus 3.0 you will need TentaclePing and TentaclePong, you cannot test directly to Octopus Server nor Tentacle:

• Run TentaclePing on your Octopus Server machine (which is the client in this relationship).
• Run TentaclePong on your Tentacle machine (which is the server in this relationship).

Use the output to help diagnose what is going wrong.

Check the IP address

Your Octopus Server or Tentacle Server may have multiple IP addresses that they listen on. For example, in Amazon EC2 machines in a VPN might have both an internal IP address and an external addresses using NAT. Octopus Server and Tentacle Server may not listen on all addresses; you can check which addresses are configured on the server by running ipconfig /all from the command line and looking for the IPv4 addresses.

Schannel and TLS configuration mismatches

Octopus uses Schannel for secure communications and will attempt to use the best available protocol available to both servers. If you are seeing error messages like below, try Troubleshooting Schannel and TLS:

Client-side:System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: One or more of the parameters passed to the function was invalid

Server-side:System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

Other error messages

Halibut.Transport.Protocol.ConnectionInitializationFailedException: Unable to process remote identity; unknown identity ‘HTTP/1.0’

If a Tentacle health-check fails with an error message containing this error message, then there is network infrastructure inserting a web page into the communication. The most common components to do this are firewalls and proxy servers so it’s recommend to check your network setup to verify connectivity between the two servers using the information above and then update your infrastructure appropriately.

Halibut.HalibutClientException: An error occurred when sending a request to ‘https://my-tentacle:10933’, before the request could begin: Attempted to read past the end of the stream.

If your Octopus server certificate was generated with SHA1 then you might get this error when connecting to modern Linux distributions, as the default security configuration now rejects communication using SHA1. To regenerate your Octopus server certificate, follow the documentation How to regenerate certificates with Octopus Server and Tentacle.

Check for zombie child processes locking TCP ports

If Tentacle fails to start with an error message like this: A required communications port is already in use.

The most common scenario is when you already have an instance of Tentacle (or something else) listening on the same TCP port. However, we have seen cases where there is no running Tentacle in the list of processes. In this very specific case it could be due to a zombie PowerShell.exe or Calamari.exe process that was launched by Tentacle that is still holding the TCP port. This can happen when attempting to cancel a task that has hung inside of Calamari/PowerShell. Simply rebooting the machine, or killing the zombie process will fix this issue, and you should be able to start Tentacle successfully.

Check the server service account permissions

If the Tentacle is running as the Local System account you can skip this section.

If the Tentacle is running as a specific user, make sure that the user has “full control” permission to the Octopus Home folder on the Tentacle machine. This is usually C:\Octopus - apply permissions recursively.

Check the load time

In some DMZ-style environments without Internet access, failing to disable Windows code signing certificate revocation list checking will cause Windows to pause during loading of the Octopus applications and installers. This can have a significant negative performance impact, which may prevent Octopus and Tentacles connecting.

To test this on a listening Tentacle, run:

Tentacle.exe help

If the command help is not displayed immediately (< 1s) you may need to consider disabling the CRL check while the Tentacle is configured.

To do this open Control Panel ➜ Internet Options ➜ Advanced, and uncheck the Check for publisher’s certificate revocation option as shown below.

Uninstall Tentacles

If you get to the end of this guide without success, it can be worthwhile to completely remove the Tentacle configuration, data, and working folders, and then reconfigure it from scratch. This can be done without any impact to the applications you have deployed. Learn about manually uninstalling Tentacle. Working from a clean slate can sometimes expose the underlying problem.

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Thursday, August 28, 2025