MicrosoftDocs
diff --git a/‎support/azure/automation/runbooks/runbook-fails-on-hybrid-worker.md‎
Lines changed: 67 additions & 0 deletions b/‎support/azure/automation/runbooks/runbook-fails-on-hybrid-worker.md‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎support/azure/automation/toc.yml‎
Lines changed: 4 additions & 0 deletions b/‎support/azure/automation/toc.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎support/azure/azure-kubernetes/availability-performance/cluster-service-health-probe-mode-issues.md‎
Lines changed: 156 additions & 9 deletions b/‎support/azure/azure-kubernetes/availability-performance/cluster-service-health-probe-mode-issues.md‎
Lines changed: 156 additions & 9 deletions
@@ -0,0 +1,67 @@
+---
+title: Troubleshoot Hybrid Runbook Worker Job Failures in Azure Automation
+description: Discusses some common issues that might occur when you run a runbook on Hybrid Runbook Worker.
+ms.date: 06/13/2025
+ms.reviewer: adoyle
+ms.service: azure-automation
+ms.custom: sap:Runbook not working as expected
+---
+
+# Hybrid Runbook Worker job isn't working as expected
+
+This article provides guidance for troubleshooting and resolving issues that affect Hybrid Runbook Worker in Azure Automation.
+
+> [!NOTE]
+> Azure Automation enables the recovery of runbooks that are deleted in the past 29 days. For more information, see [Restore deleted runbook](/azure/automation/manage-runbooks#restore-deleted-runbook).
+
+## Troubleshoot connectivity issues
+
+Connectivity problems are a common cause of issues that affect runbooks. Use the [Test Cloud Connectivity tool](/azure/azure-monitor/agents/agent-windows-troubleshoot?tabs=UpdateMMA#connectivity-issues) to verify that your environment is correctly configured.
+
+## General troubleshooting
+
+| **Issue** | **Resolution** |
+|----------|----------------|
+| Runbooks behave differently on a hybrid worker than in Azure Automation. | See [Runbook permissions](/azure/automation/automation-hrw-run-runbooks#runbook-permissions) for information about authentication differences. |
+| Error: No certificate was found. | Follow the "[No Certificate Found](/azure/automation/troubleshoot/hybrid-runbook-worker#no-cert-found)" section in the troubleshooting guide. |
+| You need to troubleshoot a custom runbook. | See [Troubleshoot runbook issues](/azure/automation/troubleshoot/runbooks). |
+| You need to check job status. | Review [job details and statuses](/azure/automation/automation-runbook-execution#job-statuses). |
+| Hybrid worker doesn't run jobs or is unresponsive. | Troubleshoot by using [Hybrid Runbook Worker diagnostics](/azure/automation/troubleshoot/hybrid-runbook-worker). |
+| Runbooks suddenly stop working. | Make sure that you [migrated to managed identity](/azure/automation/migrate-run-as-accounts-managed-identity?tabs=sa-managed-identity#cert-renewal) and that webhooks aren't expired. |
+| Need help with passing parameters into a webhook. | See [Start a runbook from a webhook](/azure/automation/automation-webhooks#parameters-used-when-the-webhook-starts-a-runbook). |
+| You want to use both `Az` and `AzureRM` modules in runbook. | This scenario isn't supported. Use only [Az modules in runbooks](/azure/automation/automation-update-azure-modules). |
+| Can't start or schedule a runbook. | Verify that the runbook is in a [published state](/azure/automation/manage-runbooks#publish-a-runbook). |
+| Runbook is suspended or failed unexpectedly. | Review [job statuses](/azure/automation/automation-runbook-execution#job-statuses). Add logging to the runbook by using [output streams](/azure/automation/automation-runbook-output-and-messages#working-with-message-streams). If the job fails three times, check [the automation limits](/azure/azure-resource-manager/management/azure-subscription-service-limits#automation-limits) and consider using a [Hybrid Worker](/azure/automation/automation-hybrid-runbook-worker). |
+
+
+### Windows Hybrid Runbook Worker issues
+
+| **Issue** | **Resolution** |
+|-----------|----------------|
+| Event 4502 appears in the Operations Manager log. | See [Event 4502](/azure/automation/troubleshoot/hybrid-runbook-worker#event-4502). |
+| Script using `Connect-MsolService` can't connect to Microsoft 365. | See [Sandbox can't connect to Microsoft 365](/azure/automation/troubleshoot/hybrid-runbook-worker#scenario-orchestratorsandboxexe-cant-connect-to-microsoft-365-through-proxy). |
+| Machine is running but not sending heartbeat data. | See [Hybrid worker not reporting](/azure/automation/troubleshoot/hybrid-runbook-worker#corrupt-cache). |
+
+
+### Linux Hybrid Runbook Worker issues
+
+| **Issue** | **Resolution** |
+|-----------|----------------|
+| Unexpected password prompt appears when using `sudo`. | See [Linux runbook worker prompts for password](/azure/automation/troubleshoot/hybrid-runbook-worker#prompt-for-password). |
+| Log file shows "The specified class does not exist." | See [Class does not exist error](/azure/automation/troubleshoot/hybrid-runbook-worker#class-does-not-exist). |
+| Linux job is stuck in **Running** state | 1. Switch to `sudo` permissions: `sudo su`<br>2. Make sure that the `hwd` service is running: `systemctl status hwd.service`<br>3. Open the following file in Hybrid Worker: `vi /lib/systemd/system/hwd.service`<br>4. Update the setting from `CPUQuota=25%` to `CPUQuota=` to make the usage unrestricted, as shown in the following example: <br><br>`[Unit]`<br>`Description=HW Service`<br>`After=network.target`<br>`[Service]`<br>`Type=simple`<br>`ExecStart=/usr/bin/python3 .../automationWorkerStarterScript.py`<br>`TimeoutStartSec=5`<br>`Restart=always`<br>`RestartSec=10s`<br>`TimeoutStopSec=600`<br>`CPUQuota=`<br>`KillMode=process`<br>`[Install]`<br>`WantedBy=multi-user.target`<br><br> 5. Restart the `hwd` service: <br>`systemctl daemon-reload` <br> `systemctl restart hwd.service`<br>|
+
+## Other error messages
+
+| **Error** | **Resolution** |
+|-----------|----------------|
+| "The subscription cannot be found" | This error usually means that the runbook isn't using a managed identity. Follow the steps in [Unable to find subscription](/azure/automation/troubleshoot/runbooks#unable-to-find-subscription). |
+| "Strong authentication enrollment is required." | See [Authentication to Azure failed due to MFA](/azure/automation/troubleshoot/runbooks#auth-failed-mfa). |
+| "No permission" or similar error | Make sure that the [managed identity has appropriate permissions](/azure/role-based-access-control/role-assignments-portal). |
+
+## Reference
+
+- [Automation Hybrid Runbook Worker overview](/azure/automation/automation-hybrid-runbook-worker)  
+- [Deploy a Windows Hybrid Runbook Worker](/azure/automation/automation-windows-hrw-install)  
+- [Deploy a Linux Hybrid Runbook Worker](/azure/automation/automation-linux-hrw-install)  
+- [Run runbooks on a Hybrid Runbook Worker](/azure/automation/automation-hrw-run-runbooks)
@@ -2,6 +2,8 @@
   href: welcome-automation.yml
 - name: Runbook not working as expected
   items:
+  - name: Hybrid Runbook Worker job isn't working
+    href: runbooks/runbook-fails-on-hybrid-worker.md
   - name: Runbook jobs get suspended
     href: runbooks/runbook-job-suspended.md
   - name: Troubleshoot error codes during runbook execution
@@ -14,3 +16,5 @@
     href: runbooks/troubleshoot-runbook-execution-issues.md
   - name: Troubleshoot runbook execution issues when using PowerShell
     href: runbooks/powershell-job-script-cmdlets-not-working.md
+  - name: Troubleshoot Hybrid Runbook Worker Job Failures
+    href: runbooks/troubleshoot-runbook-execution-issues.md
@@ -4,8 +4,9 @@ description: Diagnoses and fixes common issues with the health probe mode featur
 ms.date: 06/03/2024
 ms.reviewer: niqi, cssakscic, v-weizhu
 ms.service: azure-kubernetes-service
-ms.custom: sap:Node/node pool availability and performance, devx-track-azurecli
+ms.custom: sap:Node/node pool availability and performance, devx-track-azurecli, innovation-engine
 ---
+
 # Troubleshoot issues when enabling the AKS cluster service health probe mode
 
 The health probe mode feature allows you to configure how Azure Load Balancer probes the health of the nodes in your Azure Kubernetes Service (AKS) cluster. You can choose between two modes: Shared and ServiceNodePort. The Shared mode uses a single health probe for all external traffic policy cluster services that use the same load balancer. In contrast, the ServiceNodePort mode uses a separate health probe for each service. The Shared mode can reduce the number of health probes and improve the performance of the load balancer, but it requires some additional components to work properly. To enable this feature, see [How to enable the health probe mode feature using the Azure CLI](#how-to-enable-the-health-probe-mode-feature-using-the-azure-cli).
@@ -36,11 +37,92 @@ The following operations also happen:
 
 To troubleshoot these issues, follow these steps:
 
-1. Check the RP frontend log to see if the health probe mode in the LoadBalancerProfile is properly configured. You can use the `az aks show` command to view the LoadBalancerProfile property of your cluster. 
-
-2. Check the *overlaymgr* log to see if the cloud provider secret is updated. The keyword to look for is `cloudConfigSecretResolver`. Or check the contents of the cloud-provider-config secret in the `ccp` namespace. You can use the `kubectl get secret` command to view the secret. 
-
-3. Check the chart or overlay daemonset cloud-node-manager to see if the health-probe-proxy sidecar container is enabled. You can use the `kubectl get ds` command to view the daemonset.
+1. First, connect to your AKS cluster using the Azure CLI:
+
+    ```azurecli
+    export RESOURCE_GROUP="aks-rg"
+    export AKS_CLUSTER_NAME="aks-cluster"
+    az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_CLUSTER_NAME --overwrite-existing
+    ```
+
+2. Next, check the RP frontend log to see if the health probe mode in the LoadBalancerProfile is properly configured. You can use the `az aks show` command to view the LoadBalancerProfile property of your cluster. 
+
+    ```azurecli
+    export RESOURCE_GROUP="aks-rg"
+    export AKS_CLUSTER_NAME="aks-cluster"
+    az aks show --resource-group $RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "networkProfile.loadBalancerProfile"
+    ```
+    Results:
+
+    <!-- expected_similarity=0.3 -->
+
+    ```output
+    {
+      "clusterServiceLoadBalancerHealthProbeMode": "Shared",
+      "managedOutboundIPs": null,
+      "outboundIPs": null,
+      "outboundIPPrefixes": null,
+      "allocatedOutboundPorts": null,
+      "effectiveOutboundIPs": [
+        {
+          "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MC_aks-rg_aks-cluster_eastus2/providers/Microsoft.Network/publicIPAddresses/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+        }
+      ],
+      "idleTimeoutInMinutes": 30,
+      "loadBalancerSku": "standard",
+      "managedOutboundIPv6": null
+    }
+    ```
+
+3. Check the cloud provider configuration. In modern AKS clusters, the cloud provider configuration is managed internally and the `ccp` namespace doesn't exist. Instead, check for cloud provider related resources and verify the cloud-node-manager pods are running properly:
+
+
+    ```bash
+    # Check for cloud provider related ConfigMaps in kube-system
+    kubectl get configmap -n kube-system | grep -i azure
+    
+    # Check if cloud-node-manager pods are running (indicates cloud provider integration is working)
+    kubectl get pods -n kube-system | grep cloud-node-manager
+    
+    # Check the azure-ip-masq-agent-config if it exists
+    kubectl get configmap azure-ip-masq-agent-config-reconciled -n kube-system -o yaml 2>/dev/null || echo "ConfigMap not found"
+    ```
+    Results:
+
+    <!-- expected_similarity=0.3 -->
+
+    ```output
+    configmap/azure-ip-masq-agent-config-reconciled   1      11h
+    
+    cloud-node-manager-rfb2w                        2/2     Running   0          16m
+    ```
+
+4. Check the chart or overlay daemonset cloud-node-manager to see if the health-probe-proxy sidecar container is enabled. You can use the `kubectl get ds` command to view the daemonset.
+
+    ```shell
+    kubectl get ds -n kube-system cloud-node-manager -o yaml
+    ```
+    Results:
+
+    <!-- expected_similarity=0.3 -->
+
+    ```output
+    apiVersion: apps/v1
+    kind: DaemonSet
+    metadata:
+      name: cloud-node-manager
+      namespace: kube-system
+      ...
+    spec:
+      template:
+        spec:
+          containers:
+          - name: cloud-node-manager
+            image: mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:xxxxxxxx
+          - name: health-probe-proxy
+            image: mcr.microsoft.com/oss/kubernetes/azure-health-probe-proxy:xxxxxxxx
+          ...
+    ```
 
 ## Cause 1: The health probe mode isn't Shared or ServiceNodePort
 
@@ -74,6 +156,26 @@ The health probe mode feature requires you to register the feature on your subsc
 
 Make sure you register the feature for your subscription before creating or updating your cluster. You can use the `az feature register` command to register the feature. 
 
+```azurecli
+export FEATURE_NAME="EnableSLBSharedHealthProbePreview"
+export PROVIDER_NAMESPACE="Microsoft.ContainerService"
+az feature register --name $FEATURE_NAME --namespace $PROVIDER_NAMESPACE
+```
+Results:
+
+<!-- expected_similarity=0.3 -->
+
+```output
+{
+  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/EnableAKSClusterServiceLoadBalancerHealthProbeMode",
+  "name": "Microsoft.ContainerService/EnableAKSClusterServiceLoadBalancerHealthProbeMode",
+  "properties": {
+    "state": "Registering"
+  },
+  "type": "Microsoft.Features/providers/features"
+}
+```
+
 ## Cause 5: The Kubernetes version is earlier than v1.28.0
 
 The health probe mode feature requires a minimum Kubernetes version of v1.28.0. If you use an older version, the feature won't work. 
@@ -90,8 +192,53 @@ For Windows, the kube-proxy component doesn't start until you create the first n
 
 To enable the health probe mode feature, run one of the following commands:
 
-- `az aks create/update --cluster-service-load-balancer-health-probe-mode Shared`
-
-- `az aks create/update --cluster-service-load-balancer-health-probe-mode ServiceNodePort (default)`
+Enable `ServiceNodePort` health probe mode (default) for a cluster:
+
+```shell
+export RESOURCE_GROUP="aks-rg"
+export AKS_CLUSTER_NAME="aks-cluster"
+az aks update --resource-group $RESOURCE_GROUP --name $AKS_CLUSTER_NAME --cluster-service-load-balancer-health-probe-mode ServiceNodePort 
+```
+Results:
+
+```output
+{
+  "name": "aks-cluster",
+  "location": "eastus2",
+  "resourceGroup": "aks-rg",
+  "kubernetesVersion": "1.28.x",
+  "provisioningState": "Succeeded",
+  "loadBalancerProfile": {
+    "clusterServiceLoadBalancerHealthProbeMode": "ServiceNodePort",
+    ...
+  },
+  ...
+}
+```
+
+Enable `Shared` health probe mode for a cluster:
+
+```shell
+export RESOURCE_GROUP="MyAksResourceGroup"
+export AKS_CLUSTER_NAME="MyAksCluster"
+az aks update --resource-group $RESOURCE_GROUP --name $AKS_CLUSTER_NAME --cluster-service-load-balancer-health-probe-mode Shared
+```
+
+Results:
+
+```output
+{
+  "name": "MyAksCluster",
+  "location": "eastus2",
+  "resourceGroup": "MyAksResourceGroup",
+  "kubernetesVersion": "1.28.x",
+  "provisioningState": "Succeeded",
+  "loadBalancerProfile": {
+    "clusterServiceLoadBalancerHealthProbeMode": "Shared",
+    ...
+  },
+  ...
+}
+```
 
 [!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]