Trying to activate file gateway - getting 'internal error'

0

Goal: Connect a file storage gateway to an EC2 instance acting as a file server to allow for huge S3-backed storage while using the gateway for caching. (I've never done this personally, but was told it's the way to go.)

When I try to activate the gateway, I keep getting an 'internal error'. I've tried activating from my external PC as well as from an instance in the gateway's own VPC. I've specified inbound port 80 for the gateway security group from 0.0.0.0/0 as well as from the VPC.

I've been reviewing and redoing the recommendations on here: https://repost.aws/knowledge-center/sg-resolve-activation-vpc-endpoint

I've also been following this general guide: https://docs.aws.amazon.com/filegateway/latest/files3/Requirements.html

Note: on-premises resources are not involved here unlike some other gateway cases.

Thank you in advance for any guidance.

asked a year ago495 views
3 Answers
0

Hello,

"Internal error" showed on activating file gateway usually means the gateway VM cannot be connected from AWS console, I would recommend you follow document to do further troubleshooting: [+] https://repost.aws/knowledge-center/storage-gateway-resolve-internal-error

Also, please check your EC2 is under the public subnet if you activate the gateway in "Publicly accessible".

AWS
Paul_Y
answered a year ago
0

Hello,

Greetings from AWS!

"Internal error" is returned if your gateway appliance is unable to reach the Storage Gateway endpoint to fetch the activation ID. To verify connectivity to the endpoints, please perform a Network Connectivity Test from the gateway appliance's local console[1] by following the steps in the guide below:

Testing your gateway's network connectivity: https://docs.aws.amazon.com/filegateway/latest/filefsxw/ec2-local-console-fwg.html#EC2_MaintenanceTestGatewayConnectivity-fgw

To troubleshoot the error, please confirm the below:

  1. Check the security group that's attached to the VPC endpoint. Confirm that the security group allows inbound traffic from the gateway's IP address on TCP ports 443, 1026, 1027, 1028, 1031, and 2222 [1].

  2. Check the security group that's attached to the gateway. Confirm that the security group allows inbound traffic on TCP port 80.

  3. Confirm that the workstation you're using to activate the gateway can communicate with the VPC of the gateway instance over Direct Connect or VPN. If your workstation can't communicate with the VPC, try activating the gateway from another instance within the same VPC.

Additionally, to confirm that the required ports are open, run telnet commands on the Storage Gateway VPC Endpoint. You must run these commands from a server that's in the same subnet as the gateway. You can run the tests on the first DNS name that doesn't specify an Availability Zone. For example, the following telnet commands test the required port connections using the DNS name vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com :

telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 443 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 1026 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 1027 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 1028 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 1031 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 2222

Confirm that there's no firewall security that modifies packets sent from the gateway to your Storage Gateway VPC endpoint. The firewall security might be an SSL inspection, deep packet inspection, or in any other form. The SSL handshake fails if the SSL certificate is modified from what the activation endpoint expects. To confirm that there's no SSL inspection in progress, run an OpenSSL command on your Storage Gateway VPC endpoint. You must run this command from a machine that's in the same subnet as the gateway. Run the command for each required port:

$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:443 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com

$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:1026 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com

$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:1027 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com

$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:1028 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com

$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:1031 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com

$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:2222 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com

For the expected output and further troubleshooting steps you can take, please refer to the troubleshooting guide provided on [2].

References: [1] https://docs.aws.amazon.com/storagegateway/latest/vgw/gateway-private-link.html#create-vpc-endpoint
[2] https://aws.amazon.com/premiumsupport/knowledge-center/storage-gateway-resolve-internal-error/

AWS
SUPPORT ENGINEER
answered a year ago
0

Hello all! Thank you for your suggestions.

SUCCESS! Once I set the gateway to a public subnet, it worked, even though the original one had the ports open and had a route to the internet. Oh well.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions