diff --git a/internal/locald/rootmanager/tp_monitor.go b/internal/locald/rootmanager/tp_monitor.go
index 4e5750e..8be52ae 100644
--- a/internal/locald/rootmanager/tp_monitor.go
+++ b/internal/locald/rootmanager/tp_monitor.go
@@ -2,6 +2,7 @@ package rootmanager
 
 import (
 	"fmt"
+	"net/http"
 	"time"
 
 	"log/slog"
@@ -128,16 +129,34 @@ func (mon *tpMonitor) checkTunnelProxyAccess(ctx context.Context) bool {
 			restartSvcs = true
 		}
 	}
+	if !restartSvcs {
+		// the grpc check for connecting to the tunnel proxy does not suffice
+		// because it has built-in retries and may re-use a connection while
+		// we are unable to establish a new connection.  So, we also check
+		// the controller manager health endpoint
+		cli := &http.Client{
+			Transport: &http.Transport{},
+			Timeout:   10 * time.Second,
+		}
+		resp, err := cli.Get("http://agent-metrics.signadot.svc:9090/metrics")
+		if err != nil {
+			mon.log.Error("unable to reach agent-metrics, restarting services", "error", err)
+			restartSvcs = true
+		} else {
+			resp.Body.Close()
+		}
+	}
+	if !restartSvcs {
+		mon.starting = false
+		return true
+	}
 
-	if restartSvcs {
-		// Restart localnet
-		mon.root.stopLocalnetService()
-		mon.root.runLocalnetService(ctx, mon.tpLocalAddr, mon.ipMap)
+	// Restart localnet
+	mon.root.stopLocalnetService()
+	mon.root.runLocalnetService(ctx, mon.tpLocalAddr, mon.ipMap)
 
-		// Restart etc hosts
-		mon.root.stopEtcHostsService()
-		mon.root.runEtcHostsService(ctx, mon.tpLocalAddr, mon.ipMap)
-	}
-	mon.starting = false
-	return true
+	// Restart etc hosts
+	mon.root.stopEtcHostsService()
+	mon.root.runEtcHostsService(ctx, mon.tpLocalAddr, mon.ipMap)
+	return false
 }
diff --git a/internal/locald/sandboxmanager/sdk.go b/internal/locald/sandboxmanager/sdk.go
index 2530386..ac37cfa 100644
--- a/internal/locald/sandboxmanager/sdk.go
+++ b/internal/locald/sandboxmanager/sdk.go
@@ -17,7 +17,7 @@ import (
 
 var (
 	ErrSandboxManagerUnavailable = errors.New(
-		"sandboxmanager is not running, start it with \"signadot local connect\"")
+		`sandboxmanager is not running, start it with "signadot local connect"`)
 )
 
 func GetStatus() (*sbmapi.StatusResponse, error) {