End-of-Life (EoL)

Troubleshoot the VM-Series Auto Scaling Template for AWS

When deploying a VM-Series Auto Scaling template version 1.2 or 1.1, if the template stack is unable to provision the resources specified in the template, the process automatically rolls back and deletes the resources that were successfully created. Because an initial error can trigger a cascade of additional errors, you need to review the logs to locate the first failure event.

Error: Inadequate number of Elastic IP addresses (EIPs)

AWS Lambda requires EIP address to successfully launch the firewall.
  1. On the AWS Management Console, select
    CloudFormation
    .
  2. In the Stack list, select the name of the template that failed to deploy and view the list of
    Events
    .
  3. Look through the failure events for
    maximum number of addresses has been reached
    .
    cft_error_eip.PNG

Error: Stack name is longer than 10 characters.

The VM-Series Auto Scaling template deployment fails if the stack name is longer than 10 characters in length.
  1. On the AWS Management Console, select
    CloudWatch
    Logs
    .
  2. In the Log Groups list, select the name of the Log Stream for the template that failed to deploy so that you can find the error.
  3. Filter for ERROR events and look for
    stack name more than 10 characters long
    .
    cft_error_stackname.PNG

Error: The instance size does not meet the minimum system requirements for the VM-Series firewall model.

The VM-Series Auto Scaling template deployment fails if the instance size you selected does not match the VM-Series System Requirements.

Error: Unable to log in to the firewall

The reasons you cannot log in to the firewall can be because:
  • The firewall is not configured properly because the bootstrap process failed.
  • You chose the NAT gateway option to conserve the use of EIP addresses, so the firewall does not have a publicly accessible IP address. If you are not using Panorama to manage the firewall, to access the CLI or web interface on the firewall on the private IP address assigned by AWS, you must deploy a bastion host or jump server on the same subnet as the firewall and assign a public IP address to the jump server. Then log in to the jump server and connect to the firewall.
  • You edited the bootstrap.xml file and the NAT policy is missing or incorrect.
  1. To troubleshoot, first check that the template references the correct S3 bucket with the bootstrap files:
    1. On the EC2 Dashboard, select
      Instances
      .
    2. Select the firewall instance, and click
      Actions
      View/Change User Data
      .
    3. Verify the name for the S3 bucket that contains the bootstrap files.
      cft_error_bootstrap.PNG
    4. Verify that you created the S3 bucket at the root level, directly under All Buckets. If you nest the S3 bucket, bootstrapping will fail because you cannot specify a path to the location of the bootstrap files. See Prepare the Amazon Simple Storage (S3) buckets for launching the VM-Series Auto Scaling template.
    5. Verify that the S3 bucket is in the same region in which you are deploying the VM-Series Auto Scaling template.
  2. Check if the internet-facing ELB is in service. If bootstrapping fails, the VM-Series firewall for load balancing traffic will be out-of-service.
    1. Select
      EC2
      LoadBalancers
      .
    2. Select the internet-facing (or external) classic ELB to verify that the VM-Series firewall instances are in-service.
      The following screenshot shows that the VM-Series firewalls are not in service.
      cft-bootstrap-asg-error.png
  3. If the VM-Series firewalls are in service, check that the NAT policy was successfully committed.
    If you edited the bootstrap.xml file and deleted or modified the NAT policy rules, the firewall may have a misconfiguration, that prevents traffic from being properly routed to the firewall.
    cft-bootstrap-nat-error.png

Error: AWS Lambda is not supported in the region in which you are deploying the VM-Series Auto Scaling template.

To find the error:
  1. On the AWS Management Console, select
    CloudFormation
    .
  2. In the Stack list, select the name of the template that failed to deploy and view the list of
    Events
    . The error Resource is not supported in this region.
cft_lambda_unsupported_error.png

Error: Failure to successfully create a resource with a message such as:

Embedded stack arn:aws:cloudformation:<AWS region>:290198859335:stack/<name of your stack> was not successfully created: The following resource(s) failed to create:[ResourceName].
To find the errors:
  1. On the AWS Management Console, select
    CloudWatch
    .
  2. Click on
    Logs
    and then select
    Lambda function
    on the right. You’ll see one or more log streams.
  3. Search for [ERROR] and [CRITICAL].
The following example shows that the ELB specified was not found:
cft_error_elb.PNG

Error: Failure to launch the VM-Series Auto Scaling template because of a missing required parameter or not specifying the AWS Availability Zones for the template.

To find the error:
  1. On the AWS Management Console, select
    CloudFormation
    .
  2. In the Stack list, select the name of the template that failed to deploy. A generic template validation error displays.
cft_missing_parameter_error.png

Error: Failure to launch the VM-Series Auto Scaling template because you did not accept the End User License Agreement (EULA) for the PAYG VM-Series Firewall Bundle you are deploying.

  1. On the EC2 Dashboard, select
    Auto Scaling Groups
    .
  2. Check the details on the failure to launch the firewalls in the ASG. The error indicates that you must accept the terms for deploying the VM-Series firewalls.
cft_eula_error.png

Recommended For You