When you are activating storage gateway, you may run into errors as such site cannot be reached and others. In this post, I will discuss the common errors and troubleshooting them.
During the new gateway activation, one of the errors you see after providing the IP address in the activation wizard is site cannot be reached, connection timed out.
If you are using EC2 instance for the gateway VM, verify your EC2 instance security group and allow TCP port 80 inbound from your workstation IP address. After you modify the security group rule, you can re-run the above command and should see TcpTestSucceeded : True as below. If you cannot change the security group rules, you can get the key from the VM console as here.
If you are activating to the VPC endpoints, ensure that the security group of the VPC endpoint allows ports 1026, 1027, 1028, 1031, and 2222 from the Gateway VM/EC2 instance. You can run network connectivity checks from the VM console to the VPC endpoint to verify network connectivity.
Your gateway VM should be able to connect to the Storage Gateway endpoints. DNS servers configured on your VM should be able to resolve to the Storage Gateway endpoints and VM should be able to connect these endpoints. You can verify the network connectivity from the VM console from Test Network Connectivity and provide the requested details.
Internal Error – Firewall Issues :
If you have a firewall that performs HTTPS inspection on your network requests to AWS Storage Gateway endpoints, you could run into Internal Error. After you are connected to the gateway through Port 80 or when getting the activation key through the local console 0: Get Activation Key, gateway VM connects to its endpoints to get the key and associate that key to your VM. In case of firewall doing HTTPS inspection, you will get Internal Error or related error messages. You can verify this from the VM/EC2 local console Command Prompt, using option sslcheck.
sslcheck command verifies for the Certificate Authority and provides the output. You should see the Certificate Authority as Amazon. If you see any firewall organization or others, you should not perform HTTPS inspection and allow the Storage Gateway endpoints in firewall.
If your gateway VM clock time is skewed, SSL handshake for activation request with storage gateway endpoints would fail. You would need to ensure that NTP configuration on your gateway VM is configured to correct NTP sources. For gateway VM’s hosted on VMware, it is recommended to sync the Guest VM time with host time. Ensure that your host is configured to correct NTP sources. It’s recommended to use only one time source, either configure the VMware tools or configure the NTP servers for the storage gateway through its local console. There is advantage to use VMware tools and enable periodic clock synchronization.
For DNS resolution verification, you do it from the Command Prompt, using dig command as shown below.
IAM Permissions :
You may also run into errors with activation, when the IAM user that you were using to activate the gateway doesn’t have enough permissions. For example, in the below case, you can see that the IAM user doesn’t have required permissions in its policy.
aws --region us-west-2 storagegateway activate-gateway --activation-key ABCDE-123AB-ABDEC-CRT23-ABCD1 --gateway-type FILE_S3 --gateway-name file_gateway5 --gateway-timezone GMT-5:00 --gateway-region us-west-2 --profile
An error occurred (AccessDeniedException) when calling the ActivateGateway operation: User: arn:aws:iam::111122223333:user/user1 is not authorized to perform: storagegateway:ActivateGateway on resource: arn:aws:storagegateway:us-west-2:111122223333:* because no identity-based policy allows the storagegateway:ActivateGateway action
Ensure that your IAM user ActivateGateway permissions. You can apply AWSStorageGatewayFullAccess AWS managed policy to your IAM user.