When deploying the VM-Series Auto Scaling CFT, if the template stack is unable to provision the resources specified in the template, the process automatically rolls back and deletes the resources that were successfully created. Because an initial error can trigger a cascade of additional errors, you need to review the logs to locate the first failure event.
Deployment Issues
Error: Inadequate number of Elastic IP addresses (EIPs) AWS Lambda requires EIP address to successfully launch the firewall. On the AWS Management Console, select CloudFormation. In the Stack list, select the name of the CFT that failed to deploy and view the list of Events. Look through the failure events for maximum number of addresses has been reached .
Error: Stack name is longer than 10 characters. The CFT deployment fails if the stack name is longer than 10 characters in length. On the AWS Management Console, select CloudWatch > Logs. In the Log Groups list, select the name of the Log Stream for the CFT that failed to deploy so that you can find the error. Filter for ERROR events and look for stack name more than 10 characters long .
Error: Unable to log in to the firewall The reasons you cannot log in to the firewall can be because: The firewall is not configured properly because the bootstrap process failed. You chose the NAT gateway option to conserve the use of EIP addresses, so the firewall does not have a publicly accessible IP address. If you are not using Panorama to manage the firewall, to access the CLI or web interface on the firewall on the private IP address assigned by AWS, you must deploy a bastion host or jump server on the same subnet as the firewall and assign a public IP address to the jump server. Then log in to the jump server and connect to the firewall. You edited the bootstrap.xml file and the NAT policy is missing or incorrect. To troubleshoot, first check that the template references the correct S3 bucket with the bootstrap files: On the EC2 Dashboard, select Instances. Select the firewall instance, and click Actions > View/Change User Data. Verify the name for the S3 bucket that contains the bootstrap files.
Verify that you created the S3 bucket at the root level, directly under All Buckets. If you nest the S3 bucket, bootstrapping will fail because you cannot specify a path to the location of the bootstrap files. See Prepare the Amazon Simple Storage (S3) buckets for launching the CFT. Verify that the S3 bucket is in the same region in which you are deploying the CFT. Check if the internet-facing ELB is in service. If bootstrapping fails, the VM-Series firewall for load balancing traffic will be out-of-service. Select EC2 > LoadBalancers. Select the internet-facing (or external) classic ELB to verify that the VM-Series firewall instances are in-service. The following screenshot shows that the VM-Series firewalls are not in service.
If the VM-Series firewalls are in service, check that the NAT policy was successfully committed. If you edited the bootstrap.xml file and deleted or modified the NAT policy rules, the firewall may have a misconfiguration, that prevents traffic from being properly routed to the firewall.
Error: AWS Lambda is not supported in the region in which you are deploying the CFT. To find the error: On the AWS Management Console, select CloudFormation. In the Stack list, select the name of the CFT that failed to deploy and view the list of Events. The error Resource is not supported in this region.
Error: Failure to successfully create a resource with a message such as: Embedded stack arn:aws:cloudformation:<AWS region>:290198859335:stack/<name of your stack> was not successfully created: The following resource(s) failed to create:[ResourceName]. To find the errors: On the AWS Management Console, select CloudWatch. Click on Logs and then select Lambda function on the right. You’ll see one or more log streams. Search for [ERROR] and [CRITICAL]. The following example shows that the ELB specified was not found:
Error: Failure to launch the CFT because of a missing required parameter or not specifying the AWS Availability Zones for the template. To find the error: On the AWS Management Console, select CloudFormation. In the Stack list, select the name of the CFT that failed to deploy. A generic template validation error displays.
Error: Failure to launch the CFT because you did not accept the End User License Agreement (EULA) for the VM-Series Firewall Bundle 2. On the EC2 Dashboard, select Auto Scaling Groups. Check the details on the failure to launch the firewalls in the ASG. The error indicates that you must accept the terms for deploying the VM-Series firewalls.

Related Documentation