[Bug] Ollama Cloud rate-limit cooldown permanently blocks agents — not released after API recovery

[timo-reuter]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

After an Ollama Cloud 429 rate-limit error, OpenClaw's internal rate-limit cooldown permanently blocks agent sessions. Even after the Ollama API fully recovers (confirmed by direct API test returning HTTP 200), blocked agents cannot start new sessions. Only agents with already-active sessions continue to work. Gateway restarts do not clear the cooldown state. Observed in v2026.5.22, persists after upgrade to v2026.5.26.

Steps to reproduce

1. Set up OpenClaw with 4 agents (Tim, Tea, Kaho, Tom) all using Ollama Cloud (ollama.com) with the same API key and glm-5.1:cloud as primary model.
2. Configure cron jobs for multiple agents that trigger at the same time (e.g., daily 04:00 memory sanitization).
3. Wait for a burst of concurrent API calls that triggers a temporary Ollama 429 rate-limit response.
4. Observe that OpenClaw enters rate-limit cooldown for the affected agents.
5. Confirm the Ollama API has recovered by making a direct API call (returns HTTP 200 with valid response).
6. Check the Ollama dashboard: shows only 0.6% weekly usage, 3.5% session usage — nowhere near any real limit.
7. Attempt to send messages to the blocked agents — they fail with FailoverError: ⚠️ API rate limit reached.
8. Restart the gateway (openclaw gateway restart) — blocked agents remain blocked.
9. Fully restart OpenClaw (kill process + restart) — blocked agents remain blocked.
10. Upgrade from v2026.5.22 to v2026.5.26 — blocked agents remain blocked.
11. Only agents with pre-existing active sessions (Tim) continue to work on the same API key.

Expected behavior

After a temporary 429 rate-limit error clears, OpenClaw should retry API calls and resume normal operation. Agents should be able to start new sessions and respond to messages once the Ollama API returns to normal (HTTP 200). Gateway restarts should clear any internal rate-limit cooldown state. In v2026.5.22 and earlier, temporary 429 errors were handled with exponential backoff and agents recovered automatically.

Actual behavior

Agents Kaho and Tom are permanently blocked with FailoverError: ⚠️ API rate limit reached. Please try again later. Direct API test with the same key returns HTTP 200. Gateway logs show EmbeddedAttemptSessionTakeoverError: session file changed while embedded prompt lock was released. The Ollama dashboard confirms 0.6% weekly usage — no real limit reached. Only agents with already-active sessions (Tim, Tea) continue to function on the same API key.

OpenClaw version

2026.5.26

Operating system

Windows 11 (10.0.26200) x64

Install method

npm global (npm install -g openclaw)

Model

ollama/glm-5.1:cloud (primary), ollama/kimi-k2.5:cloud, ollama/minimax-m2.7:cloud (fallbacks)

Provider / routing chain

openclaw -> ollama.com (Ollama Cloud)

Additional provider/model setup details

4 agents share the same Ollama Cloud API key (Pro tier). Config in ~/.openclaw/openclaw.json under models.providers.ollama. Each agent has model set to ollama/glm-5.1:cloud with fallbacks. Kaho was updated to use model object with fallbacks (primary + fallbacks[]) but the fallbacks also return 429. Direct Node.js API test with the same key returns HTTP 200, confirming the issue is in OpenClaw's internal rate-limit state, not in Ollama.

Logs, screenshots, and evidence

Impact and severity

• Affected: All multi-agent setups using Ollama Cloud on shared API keys
• Severity: High (blocks 2 out of 4 agents completely; they cannot respond to any user messages or run cron jobs)
• Frequency: Always once triggered (permanent block until manual intervention or unknown cooldown expiry)
• Consequence: Agents Kaho and Tom are completely unresponsive. Cron jobs (memory sanitization, scheduled tasks) fail with 3 consecutive errors. User-facing messages go unanswered.

Additional information

Last known good: v2026.5.22 (before upgrade, agents worked intermittently). First known bad: v2026.5.22 (after burst of 429 errors, agents became permanently blocked).

Workaround attempted:

• Deleted and recreated cron jobs (cleared consecutive error counters)
• Added fallback models to agent config
• Multiple gateway restarts
• Full process restart
• Upgrade to v2026.5.26
• None resolved the issue

Suggested fix:

1. Add a configurable cooldown reset mechanism (e.g., openclaw gateway reset-ratelimit)
2. Clear all rate-limit cooldown state on gateway restart
3. Implement proper exponential backoff with automatic retry instead of permanent block
4. Respect Retry-After headers from Ollama instead of indefinite cooldown
5. Direct API test proof: Node.js https.request to ollama.com/v1/chat/completions with the same API key returns HTTP 200 immediately, while OpenClaw's internal tracker continues returning FailoverError

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 28, 2026, 6:36 AM ET / 10:36 UTC.

Summary
Keep open. Current main still has compatibility-sensitive auth-provider cooldown and session-suspension paths that can block new Ollama Cloud attempts after a 429, and the report is recent enough that it should not be swept as stale or implemented without affected auth-state/log proof.

Reproducibility: Do we have a high-confidence way to reproduce the issue? Not yet; source inspection confirms the persisted cooldown and suspension path, but the reported permanent Ollama Cloud recovery needs affected auth/session state or a mocked 429-to-200 multi-agent repro.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
Manual review should first identify whether cooldown, blocked, or quota-suspension state is stuck and define the restart/reset semantics before a fix lane runs.

Review details

Best possible solution:

Add a narrow recovery path for transient Ollama Cloud rate-limit cooldowns that resumes provider attempts after recovery while preserving real billing/auth disables and quota-suspension safety.

Do we have a high-confidence way to reproduce the issue?

Do we have a high-confidence way to reproduce the issue? Not yet; source inspection confirms the persisted cooldown and suspension path, but the reported permanent Ollama Cloud recovery needs affected auth/session state or a mocked 429-to-200 multi-agent repro.

Is this the best way to solve the issue?

Is this the best way to solve the issue? Unclear; a reset command may help operators, but the safer fix is automatic transient-cooldown recovery without clearing real billing or auth lockouts.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The report lacks affected auth-state.json, session-store quotaSuspension, and gateway log excerpts, so the exact stuck state is not yet isolated.
• Changing restart-time clearing or manual reset behavior could accidentally erase intentional billing/auth disable windows if maintainers do not define the recovery boundary first.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9fef53c3b1ed.

Label changes

Label changes:

• add impact:message-loss: The user-facing effect is agents failing to answer new messages after the cooldown is triggered.
• add issue-rating: 🐚 platinum hermit: Current issue advisory state selects this label.
• add clawsweeper:needs-live-repro: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.
• remove clawsweeper:needs-info: Current issue advisory state no longer selects this label.
• remove impact:crash-loop: Current review impact labels are impact:auth-provider, impact:session-state, impact:message-loss.
• remove issue-rating: 🦪 silver shellfish: Current issue advisory state no longer selects this label.

Label justifications:

• P1: The report describes a current release blocking multiple agents and cron runs after a shared Ollama Cloud 429 event.
• impact:auth-provider: The failure centers on provider auth profile cooldown and model fallback routing for Ollama Cloud.
• impact:session-state: The reported blocked agents depend on persisted auth usage state and possibly session quota-suspension state across restarts.
• impact:message-loss: The user-facing effect is agents failing to answer new messages after the cooldown is triggered.

Evidence reviewed

What I checked:

• Issue report evidence: The reporter describes a multi-agent Ollama Cloud shared-key setup on v2026.5.26 where direct API calls returned HTTP 200 but OpenClaw still returned FailoverError: API rate limit reached after gateway restart and full process restart.
• Current source can skip all cooldowned profiles: runWithModelFallback resolves auth profile order, detects when no profile is available for a provider/model, and can skip/suspend the candidate before making a new provider call. (src/agents/model-fallback.ts:1177, 9fef53c3b1ed)
• Cooldown state is persisted: Auth-profile failures update the locked auth profile store and copy the updated usageStats back into runtime state, so gateway restart alone does not imply cooldown state disappears. (src/agents/auth-profiles/usage.ts:683, 9fef53c3b1ed)
• Only expired cooldown windows are cleared automatically: clearExpiredCooldowns removes cooldown, blocked, and disabled windows only after their timestamps expire, resetting counters only when no unusable window remains. (src/agents/auth-profiles/usage-state.ts:133, 9fef53c3b1ed)
• Session suspension can persist a 30 minute resume window: Rate-limit failover maps to quota suspension and persists quotaSuspension with an expectedResumeBy timestamp; store maintenance later transitions it toward resume. (src/agents/session-suspension.ts:97, 9fef53c3b1ed)
• Documented behavior expects recovery, not permanent skip: The model-failover docs say cooldowned providers are probed near expiry and same-provider fallback siblings can be attempted for transient rate-limit, overloaded, or unknown cooldowns. Public docs: docs/concepts/model-failover.md. (docs/concepts/model-failover.md:301, 9fef53c3b1ed)

Likely related people:

• Peter Steinberger: Introduced the redesigned model config and auth profile foundation that the current cooldown state builds on. (role: introduced behavior; confidence: medium; commits: b04c838c15e5; files: src/agents/auth-profiles, src/agents/model-fallback.ts)
• Yi Wang: Authored the early cooldowned-provider skip work in model fallback. (role: introduced behavior; confidence: medium; commits: ff42a48b5468; files: src/agents/model-fallback.ts)
• Gustavo Madeira Santana: Carried forward cooldowned-provider skip behavior shortly after the initial implementation. (role: recent area contributor; confidence: medium; commits: 959ddae6124c; files: src/agents/model-fallback.ts)
• Ramez: Authored the quota fallback and surgical cooldown logic that is close to the reported blocked-agent path. (role: recent area contributor; confidence: medium; commits: acbb93be489d; files: src/agents/model-fallback.ts)
• kiranvk2011: Added model-scoped cooldown and stepped backoff behavior in the auth profile and fallback path. (role: recent area contributor; confidence: medium; commits: 84401223c7b8; files: src/agents/auth-profiles/usage.ts, src/agents/auth-profiles/types.ts, src/agents/model-fallback.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.