Print Download PDF Send Feedback

Previous

Next

Troubleshooting

In This Section:

Issues and Solutions

Examples of autoprov-cfg Configuration

Issues and Solutions

Issue

Solution

Where are the service logs?

Find the logs at $FWDIR/log/autoprovision.elg
You do not need to enable any additional debugging to view the full log.

Security Management Server does not recognize autoprov-cfg

The latest add-on package is not installed on your Security Management Server. Download and install the latest version. See sk130372.

service autoprovision test fails with this error:
Exception: 'Your management version does not support "get-interfaces"'

Your Security Management Server is not supported. The Transit service can only run on AWS Management Server versions 317 or higher. Install a supported version.

service autoprovision test fails with this error:
Exception: Unauthorized Operation: You are not authorized to perform this operation.

The Management Server IAM role is not set with read/write permissions, or trust between a spoke account and a management account is not configured properly.
See below "What permissions are required for the Security Management IAM role?" for an example of IAM role permissions required for the Security Management Server.

Transit Gateway is not provisioned, (has not been added to SmartConsole).

  • In the AWS Console, check that the Transit Security Gateway has these tags:
    Key: x-chkp-tags+
    Value: management=<name>+template=<name>+ip-address=<public|private>

    Check that the value of the tag is configured properly. If not, change or add it accordingly.

  • Confirm that the names of the management and template are the same that you configured with the autoprov-cfg utility.
  • Confirm the IP address is set correctly to the value, "public" OR "private".
  • Confirm that the management instance can reach the public or private IP address of the Transit Gateway. If not, configure the route table to allow access.

Connection to the Transit Gateway is lost after the restrictive policy is installed for the first time, and the policy cannot be installed again on the gateway.

The Transit Security Gateway is configured to connect to the Security Management Server with the public IP address (the elastic IP address), but the management object in SmartConsole is configured with the private IP address.

  1. Edit the security management object in SmartConsole and change the IP address to the public IP address.
  2. Delete the gateway instance. It cannot be recovered at this point.
  3. Redeploy Transit Security Gateways with the CloudFormation template.

autoprovision.elg shows this error:
Exception: There is already a VPN connection with different option value.

These are manually created VPN connections in the region of the spoke VPC. See Ignore Manually Created VPN Connections.

autoprovision.elg shows this error:
Exception: Ambiguous gateway by address <IP address> for <interoperable object name>

The Transit Security Gateway is set as the center on more than one VPN community defined for the Controller. Remove the Transit Security Gateway from all other VPN communities.

There is no spoke-to-spoke communication for some traffic, although ICMP between spokes pass.

  • Confirm the Security Policy is not blocking the traffic.
  • On the gateway, run:
    cat $PPKDIR/boot/modules/simkern.conf

    Confirm the file exists and contains the line:
    sim_ipsec_dont_fragment=0

  • If there is still no traffic between spokes, lower the MTU on the interfaces of hosts deployed in the spoke VPCs, to be under 1500.

What permissions are required for the Security Management IAM role?

The JSON script below is an example of a spoke account role ARN. Change the values in the parameters to reflect those in your environment: arn:aws:iam::<123456789012>:role/<RoleNameOne>

{   
"Version": "2012-10-17",
"Statement":
[
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/RoleNameOne",
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpnGateways",
"ec2:DescribeVpnConnections",
"ec2:DescribeSecurityGroups",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetHealth",
"autoscaling:DescribeAutoScalingGroups"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeCustomerGateways",
"ec2:CreateCustomerGateway",
"ec2:DeleteCustomerGateway",
"ec2:DescribeRouteTables",
"ec2:EnableVgwRoutePropagation",
"ec2:DisableVgwRoutePropagation",
"ec2:DescribeVpnGateways",
"ec2:CreateVpnGateway",
"ec2:AttachVpnGateway",
"ec2:DetachVpnGateway",
"ec2:DeleteVpnGateway",
"ec2:DescribeVpnConnections",
"ec2:CreateVpnConnection",
"ec2:DeleteVpnConnection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack"
],
"Resource": "arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*",
"Effect": "Allow"
}
]
}

 

How do I add a corporate gateway, as an externally managed VPN gateway, to allow a secured VPN connection between the on-premises and the Transit Hub?

See sk120534.

How do I configure Remote Access VPN via a corporate gateway to a spoke VPC?

See sk120534.

Examples of autoprov-cfg Configuration

Learn how to use the autoprov-cfg CLI tool configure different deployment scenarios. Replace the variables that are not bolded, with values in your environment.

Example 1

Management, Transit, and spoke VPCs are all on the same account.

autoprov-cfg init AWS -mn my-mgmt -tn my-template -otp vpn12345 -ver R80.10 -po Standard -cn my-controller -r us-east-1 -iam
autoprov-cfg set controller AWS -cn my-controller -sg -sv -com my-vpn-community
autoprov-cfg set template -tn my-template -vpn -vd "" -con my-vpn-community

Example 2

Management and Transit are on the same account, but the spoke VPC is on a different account.

autoprov-cfg init AWS -mn my-mgmt -tn my-template -otp vpn12345 -ver R80.10 -po Standard -cn my-controller -r us-east-1 -iam
autoprov-cfg set controller AWS -cn my-controller -sg -sv -com my-vpn-community -sn my-account -ssr arn:aws:iam::123456789012:role/SpokeAccountRole
autoprov-cfg set template -tn my-template -vpn -vd "" -con my-vpn-community

Example 3

Management, Transit, and spoke VPC are each on their own account. Trust between the management and transit accounts are done with STS roles.

autoprov-cfg init AWS -mn my-mgmt -tn my-template -otp vpn12345 -ver R80.10 -po Standard -cn my-controller -r us-east-1 -iam
autoprov-cfg set controller AWS -cn my-controller -sg -sv -com my-vpn-community -sr arn:aws:iam::210987654321:role/TransitAccountRole -sn my-account -ssr arn:aws:iam::123456789012:role/SpokeNameOne
autoprov-cfg set template -tn my-template

Example 4

Management, Transit, and spoke VPCs are each on their own account. A user with programmatic access is set on the transit account.

autoprov-cfg init AWS -mn my-mgmt -tn my-template -otp vpn12345 -ver R80.10 -po Standard -cn my-controller -r us-east-1 -ak AKIKBJKKGPVSLTTVCGFU -sk m97031r93aa7x6plnkdum97031r93aa7x6plnkdu
autoprov-cfg set controller AWS -cn my-controller -sg -sv -com my-vpn-community -sn my-account -ssr arn:aws:iam::123456789012:role/SpokeNameOne
autoprov-cfg set template -tn my-template -vpn -vd "" -con my-vpn-community