Jenkins LTS 2.176.3 incorporated commit ace596, which factors the Session ID into the computation of CSRF crumbs; since a new Session ID is generated if none is provided, previously issued crumbs are rendered useless in the absence of a reusable Session ID. This currently prevents Swarm clients from connecting to Jenkins masters secured with the DefaultCrumbIssuer, since the generated crumb is immediately rendered useless.

I think a fix would involve the Swarm plugin using a persistent session ID on the client-side. I labeled this issue as "minor", because an easy workaround exists (setting hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true on the Jenkins master). It should be noted, however, that this reduces the efficacy of the fixes to SECURITY-626 and SECURITY-1491.