- Newest
- Most votes
- Most comments
Hello,
"Internal error" showed on activating file gateway usually means the gateway VM cannot be connected from AWS console, I would recommend you follow document to do further troubleshooting: [+] https://repost.aws/knowledge-center/storage-gateway-resolve-internal-error
Also, please check your EC2 is under the public subnet if you activate the gateway in "Publicly accessible".
Hello,
Greetings from AWS!
"Internal error" is returned if your gateway appliance is unable to reach the Storage Gateway endpoint to fetch the activation ID. To verify connectivity to the endpoints, please perform a Network Connectivity Test from the gateway appliance's local console[1] by following the steps in the guide below:
Testing your gateway's network connectivity: https://docs.aws.amazon.com/filegateway/latest/filefsxw/ec2-local-console-fwg.html#EC2_MaintenanceTestGatewayConnectivity-fgw
To troubleshoot the error, please confirm the below:
-
Check the security group that's attached to the VPC endpoint. Confirm that the security group allows inbound traffic from the gateway's IP address on TCP ports 443, 1026, 1027, 1028, 1031, and 2222 [1].
-
Check the security group that's attached to the gateway. Confirm that the security group allows inbound traffic on TCP port 80.
-
Confirm that the workstation you're using to activate the gateway can communicate with the VPC of the gateway instance over Direct Connect or VPN. If your workstation can't communicate with the VPC, try activating the gateway from another instance within the same VPC.
Additionally, to confirm that the required ports are open, run telnet commands on the Storage Gateway VPC Endpoint. You must run these commands from a server that's in the same subnet as the gateway. You can run the tests on the first DNS name that doesn't specify an Availability Zone. For example, the following telnet commands test the required port connections using the DNS name vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com :
telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 443 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 1026 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 1027 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 1028 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 1031 telnet vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com 2222
Confirm that there's no firewall security that modifies packets sent from the gateway to your Storage Gateway VPC endpoint. The firewall security might be an SSL inspection, deep packet inspection, or in any other form. The SSL handshake fails if the SSL certificate is modified from what the activation endpoint expects. To confirm that there's no SSL inspection in progress, run an OpenSSL command on your Storage Gateway VPC endpoint. You must run this command from a machine that's in the same subnet as the gateway. Run the command for each required port:
$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:443 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com
$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:1026 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com
$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:1027 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com
$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:1028 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com
$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:1031 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com
$ openssl s_client -connect vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com:2222 -servername vpce-1234567abcde.storagegateway.region.vpce.amazonaws.com
For the expected output and further troubleshooting steps you can take, please refer to the troubleshooting guide provided on [2].
References:
[1] https://docs.aws.amazon.com/storagegateway/latest/vgw/gateway-private-link.html#create-vpc-endpoint
[2] https://aws.amazon.com/premiumsupport/knowledge-center/storage-gateway-resolve-internal-error/
Hello all! Thank you for your suggestions.
SUCCESS! Once I set the gateway to a public subnet, it worked, even though the original one had the ports open and had a route to the internet. Oh well.
Relevant content
- Accepted Answerasked 2 years ago
- asked 9 months ago
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago