Why do I receive a "Failed to authenticate with service" error in Application Migration Service or Elastic Disaster Recovery?

Short description

After you boot the replication server, it must reach the following AWS endpoints in your AWS Region:

• Application Migration Service endpoint or Elastic Disaster Recovery endpoint.
• Amazon Elastic Compute Cloud (Amazon EC2) endpoint
• Amazon Simple Storage Service (Amazon S3) endpoint

If communication to these endpoints fails, then you receive the "Failed to authenticate with service" error message during initial data replication.

For more information, see Communication between the staging area subnet and AWS Application Migration Service over TCP port 443. Or, see Communication between the staging area subnet and AWS Elastic Disaster Recovery over TCP port 443

Resolution

Identify the endpoint that the server can't communicate with

Complete the following steps:

1. Open the Amazon EC2 console.
2. Choose the latest replication instance that Application Migration Service or Elastic Disaster Recovery launched.
   Note: Use the Application Migration Service replication server or Elastic Disaster Recovery replication server tags to find the replication instance. The instance can be in the Running or Terminated state. If there's no replication server available in your console, then proceed to Test network connectivity.
3. Choose Actions, and then select Monitor and troubleshoot.
4. Choose Get system log.
5. Check the logs for the following errors:
   "Unable to reach S3"
   "Unable to reach MGN"
   "Unable to reach DRS"
   "Unable to reach EC2"

Test network connectivity

To test network connectivity, create new Amazon EC2 instance, or use an existing EC2 instance. Make sure that the instance uses the same settings as the replication server, such as the same virtual private cloud (VPC), subnet, and security groups.

To test network connectivity, run the following commands:

telnet s3.region.amazonaws.com 443
telnet ec2.region.amazonaws.com 443

telnet drs.region.amazonaws.com 443

-or-

telnet mgn.region.amazonaws.com 443

Note: Replace region with your Region. The preceding commands use telnet to check TCP communication to port 443. You can use another tool and test other endpoints, if needed.

To check the SSL/TLS connectivity of the service, run one of the following commands:

echo -n | openssl s_client -connect drs.region.amazonaws.com:443

-or-

echo -n | openssl s_client -connect mgn.region.amazonaws.com:443

Note: Replace region with your Region.

To check the connectivity between the source server and the staging subnet over the port 1500, run the following command:

echo -n | openssl s_client -connect Server-IP:1500

Note: Replace Server-IP with your replication server IP address. If there's no active replication server, then use the IP address of your test EC2 instance.

If you use a private connection, then make sure to use private endpoints for the endpoints.

Troubleshoot connection issues

Make sure that your security groups, network access control lists (network ACLs), and route table allow access to the endpoints through TCP port 443.

For VPC interface endpoints for Amazon EC2 or Application Migration Service, check the security group attached to the interface endpoints. Make sure that it allows inbound TCP port 443 access from your staging area subnet.

For Amazon S3 access in subnets with no internet access, make sure that you use an Amazon S3 gateway endpoint. The replication server can't use an Amazon S3 VPC interface endpoint because the Amazon S3 links don't use your VPC endpoint interface ID.

For custom Dynamic Host Configuration Protocol (DHCP) option sets for DNS resolution in the subnet, check the DNS servers. They must resolve the required endpoints for Amazon EC2, Amazon S3, and Application Migration Service or Elastic Disaster Recovery.

If you route traffic through a firewall, then make sure that the firewall doesn't block traffic from the replication servers to the endpoints.

If you use an internet gateway for internet access, then confirm that the replication server has a public IP address to communicate with the endpoints. To check this configuration, complete the following steps:

1. Open the Application Migration Service console or Elastic Disaster Recovery console.
2. In the navigation pane, choose Source servers.
3. Choose Edit replication settings.
4. Under IPv4 address assignment, choose Create public IP.
5. Choose Save replication settings.

For more troubleshooting information, see Troubleshooting communication errors (Application Migration Service) or Troubleshooting communication errors (Elastic Disaster Recovery).