Troubleshooting

Issue	Solution
Where are the service logs?	Examine this log file: On Security Management Server: `$FWDIR/log/autoprovision.elg` On Multi-Domain Server: `$MDS_FWDIR/log/autoprovision.elg` You do not need to enable any additional debugging to view the full log.
Management Server does not recognize the `autoprov_cfg` command.	The latest add-on package is not installed on your Management Server. Download and install the latest version. See sk130372.
The `service cne test` command fails with this error: `Exception: 'Your management version does not support "get-interfaces"'`	Your Security Management Server is not supported. The Transit service can only run on a Check Point Security Management Server on AWS versions 317 or higher. Install a supported version.
The `service cme test` command fails with this error: `Exception: Unauthorized Operation: You are not authorized to perform this operation.`	The Security Management Server IAM role is not set with read/write permissions, or trust between a spoke account and a management account is not configured properly. See the issue below "What permissions are required for the Security Management Server IAM role?" for an example of IAM role permissions required for the Security Management Server.
Transit Gateway is not provisioned, (does not show in SmartConsole).	In the AWS Console, check that the Transit Gateway has these tags: Key Tag: `x-chkp-tags+` Key Value: `management=<`name`>+template=<`name`>+ip-address=<public\|private>` Check that the value of the tag is configured properly. If not, change or add it accordingly. Confirm that the names of the management and template are the same that you configured with the `autoprov_cfg` utility. Confirm the IP address is set correctly to the value, "`public`" OR "`private`". Confirm that the management instance can reach the public or private IP address of the Transit Gateway. If not, configure the applicable route.
Connection to the Transit Gateway is lost after the restrictive policy is installed for the first time, and the policy cannot be installed again on the Transit Gateway.	The Transit Gateway is configured to connect to the Security Management Server with the public IP address (the elastic IP address), but the Security Management Server in SmartConsole is configured with the private IP address. Edit the Security Management Server object in SmartConsole and change the IP address to the public IP address. Note - This change requires to issue the licenses for the new IP address. Delete the gateway instance. It cannot be recovered at this point. Deploy Transit Gateways with the CloudFormation template again.
The `autoprovision.elg` file shows this error: `Exception: There is already a VPN connection with different option value.`	These are manually created VPN connections in the region of the spoke VPC. See Ignore Manually Created VPN Connections.
The `autoprovision.elg` file shows this error: `Exception: Ambiguous gateway by address <`IP address`> for <`Name of Interoperable Object`>`	The Transit Gateway is set as the Center Gateway in more than one VPN Community defined for the Controller. Remove the Transit Gateway from all other VPN communities.
There is no spoke-to-spoke communication for some traffic, although ICMP pings between the spokes can pass.	Confirm the Security Policy is not blocking the traffic. On the gateway, run: `cat $PPKDIR/boot/modules/simkern.conf` Confirm the file exists and contains this line: `sim_ipsec_dont_fragment=0` If there is still no traffic between spokes, lower the MTU on the interfaces of hosts deployed in the spoke VPCs to be lower than 1500.
What permissions are required for the Security Management Server IAM role?	The JSON script below is an example of a spoke account role ARN. Change the values in the parameters to reflect those in your environment: `arn:aws:iam::<`123456789012`>:role/<`RoleNameOne> Example of a JSON script: { "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::123456789012:role/RoleNameOne", ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpnGateways", "ec2:DescribeVpnConnections", "ec2:DescribeSecurityGroups", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetHealth", "autoscaling:DescribeAutoScalingGroups" ], "Resource": "", "Effect": "Allow" }, { "Action": [ "ec2:DescribeCustomerGateways", "ec2:CreateCustomerGateway", "ec2:DeleteCustomerGateway", "ec2:DescribeRouteTables", "ec2:EnableVgwRoutePropagation", "ec2:DisableVgwRoutePropagation", "ec2:DescribeVpnGateways", "ec2:CreateVpnGateway", "ec2:AttachVpnGateway", "ec2:DetachVpnGateway", "ec2:DeleteVpnGateway", "ec2:DescribeVpnConnections", "ec2:CreateVpnConnection", "ec2:DeleteVpnConnection" ], "Resource": "", "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResources" ], "Resource": "", "Effect": "Allow" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": "arn:aws:cloudformation:::stack/vpn-by-tag--/*", "Effect": "Allow" } ] }
How do I add a Corporate Gateway, as an Externally Managed VPN Gateway to allow a secured VPN connection between the on-premises and the Transit Hub?	See sk120534.
How do I configure Remote Access VPN through a Corporate Gateway to a Spoke VPC?	See sk120534.
Transit Gateways are not added to the Management Server.	Check tags in the Transit Gateway and Transit Gateway Route Tables as described in the section Deploying Security Transit Gateway Auto Scaling Group.
I used the Transit Gateway First Time Configuration Wizard. However, the configuration is not correct.	You have these options: Initialize all configuration by running the tool again. Update only specific configuration with the `autoprov_cfg` tool. See the section Deploying and Configuring the Check Point Security Management Server.
The `autoprov_cfg` command for configuring the template on the Management Server fails.	Before you define a VPN community for the template, it must be defined on the AWS Controller.