diff --git a/DEPLOY.md b/DEPLOY.md
index db7a006..7306988 100644
--- a/DEPLOY.md
+++ b/DEPLOY.md
@@ -348,3 +348,17 @@ If the journal shows the agent connecting and immediately seeing RST again (a ti
    ```
 
    Should return HTTP 101 Switching Protocols. If it does, the network is the issue. If it doesn't, the control plane binary has a problem (look at `sdp-control-plane.service` journal for a startup error).
+
+### Still failing after the curl test? Check what's bound to port 3452
+
+The control plane is one listener on port 3452 — if systemd or another process is also bound, the kernel can RST connections to the "wrong" socket. On 186:
+
+```bash
+ssh administrator@172.18.139.186
+sudo ss -tlnp 'sport = :3452'
+sudo lsof -i :3452
+sudo systemctl list-sockets --no-legend 2>/dev/null | grep 3452
+exit
+```
+
+You should see only one listener: `control-plane` PID, IPv6 `*:3452` (dual-stack). If you see anything else — another systemd socket, a leftover container, a proxy — kill it. Then `sudo systemctl restart sdp-control-plane.service` on 186 and try the agent again.