Why is my Storage Gateway activation failing when I try to activate my gateway using a public endpoint?

Last updated: 2020-09-25

I'm trying to activate my gateway on AWS Storage Gateway using a public endpoint. However, the activation is failing. How can I troubleshoot this?

Short description

Gateway activation using a public endpoint can fail for the following reasons:

  • The gateway VM doesn't meet the minimum system requirements.
  • The gateway's virtual machine (VM) can't reach the service endpoints on port 443.
  • The gateway is not reachable on port 80.

Resolution

Note: Activation can fail if the gateway VM or the gateway instance on Amazon Elastic Compute Cloud (Amazon EC2) was already activated. After activation is complete, the gateway stops listening on port 80 and can't communicate with the endpoint. Before you begin troubleshooting, confirm that the gateway VM or instance hasn't been activated before.

Troubleshooting a gateway that's hosted on-premises

Confirm that the gateway VM meets the minimum hardware and storage requirements

  • The VM must have a minimum of 4 CPUs and 16 GB memory to communicate with the gateway endpoints.
  • The VM's root disk must be at least 80 GB.

Confirm that the gateway VM meets the network requirements

  • The gateway VM must listen on TCP port 80 to receive the activation request from the gateway endpoint.
  • The gateway VM must be able to access the endpoint anon-cp.storagegateway.region.amazonaws.com 443 to communicate with AWS.
  • Your firewall and router must allow the required service endpoints for outbound traffic to AWS.
  • Your firewall must allow traffic on port 123 so that your gateway's VM can synchronize with NTP time.
  • Your firewall DNS resolution must allow traffic on port 53.

Additionally, verify that there are no ongoing SSL inspections or deep packed inspections between your gateway's VM and the Storage Gateway service endpoints. The file gateway software disconnects the connection when there's a deep packet inspection. This is because the software treats deep packet inspections as a man-in-the-middle attack.

To check for any ongoing inspections, you can run an OpenSSL command from a VM that's in the same network as your gateway's VM:

openssl s_client -connect client-cp.storagegateway.us-east-1.amazonaws.com:443

Test the network connection

You can test your gateway's connection to the required endpoints in the following ways:

  • Run a network connectivity test from your gateway's local VM console.
  • Run a telnet command from a VM that's in the same network as the gateway VM:
telnet anon-cp.storagegateway.region.amazonaws.com 443

Troubleshooting a gateway that's hosted on Amazon EC2

Confirm that the Amazon EC2 gateway instance meets the minimum hardware and storage requirements

  • The instance must have a minimum of 4 CPUs and 16 GB memory for the gateway to communicate with the gateway endpoints.
  • The instance's root disk must be at least 80 GB.

Note: The recommended instance types for a gateway are m4.xlarge and m4.2xlarge.

Confirm that the gateway instance meets the network requirements

  • The instance's security group must allow inbound traffic from your client or workstation's IP address on TCP port 80.
  • The instance's security group must allow outbound traffic to TCP ports 443, 123, and 53 to communicate with the service endpoints.

Test the network connection

  • Run a network connectivity test from your gateway's local VM console.
  • Run a telnet command from an EC2 instance that's in the same network or subnet as the gateway instance:
telnet anon-cp.storagegateway.region.amazonaws.com 443

Did this article help?


Do you need billing or technical support?