aws-transit-vpc
aws-transit-vpc copied to clipboard
PaloAltoNetworks
Password not working for PAGroup
Deploying these templates and PAGroup58 launches. However using the default password from the deployment document I cannot login. Also setting a new phash in the bootstrap file did not work as well. I am new to Palo Alto. If I look at the phash in the config, should it list more than an "*"
admin@PA-VM# show mgt-config users users { admin { phash *; permissions { role-based { superuser yes;
When you say default password are you using the password that we listed in the Transit VPC deployment guide?
Yes.
Thomas Heljula Sr. IT Administrator, Network O: 314.770.3482
[cid:[email protected]]
[cid:[email protected]]
Best in KLAS for Value-Based Care Managed Services – two years running.
[cid:[email protected]]
13900 Riverport Drive, Maryland Heights, MO 63043
lumeris.com
From: jpeezus [mailto:[email protected]] Sent: Monday, March 19, 2018 1:00 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
When you say default password are you using the password that we listed in the Transit VPC deployment guide?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374308353, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUayFA9qRNF0AcKBgPiS0_Gquet9Rks5tf_IzgaJpZM4Swnwq.
For the sake of testing I would recommend to go back to the default bootstrap file use the default credentials defined in the transit VPC guide user is admin password starts with a "R"
It does take some time for the PAGroup firewalls to be accessible via console but once they are are the default passord that starts with "R" will work. it's not the default admin/admin username and password but I am sure you are aware of that.
If I created a new password and hash can I put that in the bootstrap.xml and use that password? I would like to avoid known default passwords.
Thomas Heljula Sr. IT Administrator, Network O: 314.770.3482
[cid:[email protected]]
[cid:[email protected]]
Best in KLAS for Value-Based Care Managed Services – two years running.
[cid:[email protected]]
13900 Riverport Drive, Maryland Heights, MO 63043
lumeris.com
From: jpeezus [mailto:[email protected]] Sent: Monday, March 19, 2018 1:05 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
For the sake of testing I would recommend to go back to the default bootstrap file use the default credentials defined in the transit VPC guide user is admin password starts with a "R"
It does take some time for the PAGroup firewalls to be accessible via console but once they are are the default passord that starts with "R" will work. it's not the default admin/admin username and password but I am sure you are aware of that.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374310084, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUVur6yPDEqRuK1V__6BHCvrduO3Wks5tf_NogaJpZM4Swnwq.
yes as long as you bootstrap file in the S3 bucket matches the password in the stack deployment it should work. Can you provide detail on when you changed the password? Did you launch the templates first then change the password?
No I changed the bootstrap template first and then launched them in Cloudformation.
Thomas Heljula Sr. IT Administrator, Network O: 314.770.3482
[cid:[email protected]]
[cid:[email protected]]
Best in KLAS for Value-Based Care Managed Services – two years running.
[cid:[email protected]]
13900 Riverport Drive, Maryland Heights, MO 63043
lumeris.com
From: jpeezus [mailto:[email protected]] Sent: Monday, March 19, 2018 1:53 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
yes as long as you bootstrap file in the S3 bucket matches the password in the stack deployment it should work. Can you provide detail on when you changed the password? Did you launch the templates first then change the password?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374325692, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUeFkh1E8PGno7M0t0K0uqMzYgVryks5tf_6EgaJpZM4Swnwq.
So I believe that the step function is failing execution on creation of the Subscriber VPC and VPN.
3fa3e3a0-f3e3-46ed-a1d9-2ecaa2263b4d arn:aws:states:us-west-2:167648698950:execution:SubscrierStateMachine-nWPliObOdMPh:3fa3e3a0-f3e3-46ed-a1d9-2ecaa2263b4dhttps://us-west-2.console.aws.amazon.com/states/home?region=us-west-2#/executions/details/arn:aws:states:us-west-2:167648698950:execution:SubscrierStateMachine-nWPliObOdMPh:3fa3e3a0-f3e3-46ed-a1d9-2ecaa2263b4d
Failed
Mar 19, 2018 02:52:57.875 PM
Mar 19, 2018 02:53:11.150 PM
10 LambdaFunctionScheduled CreateVpnConnection Lambda | CloudWatch logs 1143 Mar 19, 2018 02:52:59.018 PM { "resource": "arn:aws:lambda:us-west-2:167648698950:function:createVpnConnection-INFRA-PaloAlto-Subscriber-VPC", "input": { "Action": "CreateVpnConnection", "VpcId": "vpc-35aed34c", "VpcCidr": "10.101.0.0/16", "Region": "us-west-2", "Rebalance": "False" }, "timeoutInSeconds": null } 11 LambdaFunctionStarted CreateVpnConnection Lambda | CloudWatch logs 1187 Mar 19, 2018 02:52:59.062 PM {} 12 LambdaFunctionSucceeded CreateVpnConnection Lambda | CloudWatch logs 2870 Mar 19, 2018 02:53:00.745 PM { "output": null } 13 TaskStateExited CreateVpnConnection --- 2870 Mar 19, 2018 02:53:00.745 PM { "name": "CreateVpnConnection", "output": null } 14 TaskStateEntered FetchFromSubscriberQueue --- 2879 Mar 19, 2018 02:53:00.754 PM { "name": "FetchFromSubscriberQueue", "input": null } 15 LambdaFunctionScheduled FetchFromSubscriberQueue Lambda | CloudWatch logs 2879 Mar 19, 2018 02:53:00.754 PM { "resource": "arn:aws:lambda:us-west-2:167648698950:function:fetchFromSubscriberQueueLambda-INFRA-PaloAlto-Subscriber-VPC", "input": null, "timeoutInSeconds": null } 16 LambdaFunctionStarted FetchFromSubscriberQueue Lambda | CloudWatch logs 2917 Mar 19, 2018 02:53:00.792 PM {} 17 LambdaFunctionSucceeded FetchFromSubscriberQueue Lambda | CloudWatch logs 13258 Mar 19, 2018 02:53:11.133 PM { "output": null } 18 TaskStateExited FetchFromSubscriberQueue --- 13258 Mar 19, 2018 02:53:11.133 PM { "name": "FetchFromSubscriberQueue", "output": null } 19 ChoiceStateEntered ChoiceState --- 13275 Mar 19, 2018 02:53:11.150 PM { "name": "ChoiceState", "input": null } 20 ExecutionFailed --- 13275 Mar 19, 2018 02:53:11.150 PM { "error": "States.Runtime", "cause": "Internal Error (8b6bb8f7-a016-4752-be8a-ec4f70cc7127)" }
Thomas Heljula Sr. IT Administrator, Network O: 314.770.3482
[cid:[email protected]]
[cid:[email protected]]
Best in KLAS for Value-Based Care Managed Services – two years running.
[cid:[email protected]]
13900 Riverport Drive, Maryland Heights, MO 63043
lumeris.com
From: jpeezus [mailto:[email protected]] Sent: Monday, March 19, 2018 1:53 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
yes as long as you bootstrap file in the S3 bucket matches the password in the stack deployment it should work. Can you provide detail on when you changed the password? Did you launch the templates first then change the password?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374325692, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUeFkh1E8PGno7M0t0K0uqMzYgVryks5tf_6EgaJpZM4Swnwq.
I assume you have launched the initialize subscriber VPC template first?
Thanks,
/narayan From: panama63119 [email protected] Reply-To: PaloAltoNetworks/aws-transit-vpc [email protected] Date: Monday, March 19, 2018 at 1:24 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Subscribed [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
So I believe that the step function is failing execution on creation of the Subscriber VPC and VPN.
3fa3e3a0-f3e3-46ed-a1d9-2ecaa2263b4d arn:aws:states:us-west-2:167648698950:execution:SubscrierStateMachine-nWPliObOdMPh:3fa3e3a0-f3e3-46ed-a1d9-2ecaa2263b4dhttps://us-west-2.console.aws.amazon.com/states/home?region=us-west-2#/executions/details/arn:aws:states:us-west-2:167648698950:execution:SubscrierStateMachine-nWPliObOdMPh:3fa3e3a0-f3e3-46ed-a1d9-2ecaa2263b4d
Failed
Mar 19, 2018 02:52:57.875 PM
Mar 19, 2018 02:53:11.150 PM
10 LambdaFunctionScheduled CreateVpnConnection Lambda | CloudWatch logs 1143 Mar 19, 2018 02:52:59.018 PM { "resource": "arn:aws:lambda:us-west-2:167648698950:function:createVpnConnection-INFRA-PaloAlto-Subscriber-VPC", "input": { "Action": "CreateVpnConnection", "VpcId": "vpc-35aed34c", "VpcCidr": "10.101.0.0/16", "Region": "us-west-2", "Rebalance": "False" }, "timeoutInSeconds": null } 11 LambdaFunctionStarted CreateVpnConnection Lambda | CloudWatch logs 1187 Mar 19, 2018 02:52:59.062 PM {} 12 LambdaFunctionSucceeded CreateVpnConnection Lambda | CloudWatch logs 2870 Mar 19, 2018 02:53:00.745 PM { "output": null } 13 TaskStateExited CreateVpnConnection --- 2870 Mar 19, 2018 02:53:00.745 PM { "name": "CreateVpnConnection", "output": null } 14 TaskStateEntered FetchFromSubscriberQueue --- 2879 Mar 19, 2018 02:53:00.754 PM { "name": "FetchFromSubscriberQueue", "input": null } 15 LambdaFunctionScheduled FetchFromSubscriberQueue Lambda | CloudWatch logs 2879 Mar 19, 2018 02:53:00.754 PM { "resource": "arn:aws:lambda:us-west-2:167648698950:function:fetchFromSubscriberQueueLambda-INFRA-PaloAlto-Subscriber-VPC", "input": null, "timeoutInSeconds": null } 16 LambdaFunctionStarted FetchFromSubscriberQueue Lambda | CloudWatch logs 2917 Mar 19, 2018 02:53:00.792 PM {} 17 LambdaFunctionSucceeded FetchFromSubscriberQueue Lambda | CloudWatch logs 13258 Mar 19, 2018 02:53:11.133 PM { "output": null } 18 TaskStateExited FetchFromSubscriberQueue --- 13258 Mar 19, 2018 02:53:11.133 PM { "name": "FetchFromSubscriberQueue", "output": null } 19 ChoiceStateEntered ChoiceState --- 13275 Mar 19, 2018 02:53:11.150 PM { "name": "ChoiceState", "input": null } 20 ExecutionFailed --- 13275 Mar 19, 2018 02:53:11.150 PM { "error": "States.Runtime", "cause": "Internal Error (8b6bb8f7-a016-4752-be8a-ec4f70cc7127)" }
Thomas Heljula Sr. IT Administrator, Network O: 314.770.3482
[cid:[email protected]]
[cid:[email protected]]
Best in KLAS for Value-Based Care Managed Services – two years running.
[cid:[email protected]]
13900 Riverport Drive, Maryland Heights, MO 63043
lumeris.com
From: jpeezus [mailto:[email protected]] Sent: Monday, March 19, 2018 1:53 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
yes as long as you bootstrap file in the S3 bucket matches the password in the stack deployment it should work. Can you provide detail on when you changed the password? Did you launch the templates first then change the password?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374325692, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUeFkh1E8PGno7M0t0K0uqMzYgVryks5tf_6EgaJpZM4Swnwq.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_6-23issuecomment-2D374360527&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=diSUL5-7fXOwmktIWeSK8X_L7hs_NZAuGrqjBmOKBWY&s=g3wHRF6w4pQVqiiQmxeMIVQENnwxtFDZW591zI0xgEE&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaWBjexo3jeNLB5mgO7680b4qG2V5ks5tgBPigaJpZM4Swnwq&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=diSUL5-7fXOwmktIWeSK8X_L7hs_NZAuGrqjBmOKBWY&s=Q-ZuDpLGRETqx9ooSaUqIOR-1JyIIO_wtyFFcDCqEG8&e=.
Yes and the PAGroup has been created successfully as well.
Thomas Heljula Sr. IT Administrator, Network O: 314.770.3482
[cid:[email protected]]
[cid:[email protected]]
Best in KLAS for Value-Based Care Managed Services – two years running.
[cid:[email protected]]
13900 Riverport Drive, Maryland Heights, MO 63043
lumeris.com
From: Narayan Iyengar [mailto:[email protected]] Sent: Monday, March 19, 2018 3:28 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
I assume you have launched the initialize subscriber VPC template first?
Thanks,
/narayan From: panama63119 [email protected] Reply-To: PaloAltoNetworks/aws-transit-vpc [email protected] Date: Monday, March 19, 2018 at 1:24 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Subscribed [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
So I believe that the step function is failing execution on creation of the Subscriber VPC and VPN.
3fa3e3a0-f3e3-46ed-a1d9-2ecaa2263b4d arn:aws:states:us-west-2:167648698950:execution:SubscrierStateMachine-nWPliObOdMPh:3fa3e3a0-f3e3-46ed-a1d9-2ecaa2263b4dhttps://us-west-2.console.aws.amazon.com/states/home?region=us-west-2#/executions/details/arn:aws:states:us-west-2:167648698950:execution:SubscrierStateMachine-nWPliObOdMPh:3fa3e3a0-f3e3-46ed-a1d9-2ecaa2263b4d
Failed
Mar 19, 2018 02:52:57.875 PM
Mar 19, 2018 02:53:11.150 PM
10 LambdaFunctionScheduled CreateVpnConnection Lambda | CloudWatch logs 1143 Mar 19, 2018 02:52:59.018 PM { "resource": "arn:aws:lambda:us-west-2:167648698950:function:createVpnConnection-INFRA-PaloAlto-Subscriber-VPC", "input": { "Action": "CreateVpnConnection", "VpcId": "vpc-35aed34c", "VpcCidr": "10.101.0.0/16", "Region": "us-west-2", "Rebalance": "False" }, "timeoutInSeconds": null } 11 LambdaFunctionStarted CreateVpnConnection Lambda | CloudWatch logs 1187 Mar 19, 2018 02:52:59.062 PM {} 12 LambdaFunctionSucceeded CreateVpnConnection Lambda | CloudWatch logs 2870 Mar 19, 2018 02:53:00.745 PM { "output": null } 13 TaskStateExited CreateVpnConnection --- 2870 Mar 19, 2018 02:53:00.745 PM { "name": "CreateVpnConnection", "output": null } 14 TaskStateEntered FetchFromSubscriberQueue --- 2879 Mar 19, 2018 02:53:00.754 PM { "name": "FetchFromSubscriberQueue", "input": null } 15 LambdaFunctionScheduled FetchFromSubscriberQueue Lambda | CloudWatch logs 2879 Mar 19, 2018 02:53:00.754 PM { "resource": "arn:aws:lambda:us-west-2:167648698950:function:fetchFromSubscriberQueueLambda-INFRA-PaloAlto-Subscriber-VPC", "input": null, "timeoutInSeconds": null } 16 LambdaFunctionStarted FetchFromSubscriberQueue Lambda | CloudWatch logs 2917 Mar 19, 2018 02:53:00.792 PM {} 17 LambdaFunctionSucceeded FetchFromSubscriberQueue Lambda | CloudWatch logs 13258 Mar 19, 2018 02:53:11.133 PM { "output": null } 18 TaskStateExited FetchFromSubscriberQueue --- 13258 Mar 19, 2018 02:53:11.133 PM { "name": "FetchFromSubscriberQueue", "output": null } 19 ChoiceStateEntered ChoiceState --- 13275 Mar 19, 2018 02:53:11.150 PM { "name": "ChoiceState", "input": null } 20 ExecutionFailed --- 13275 Mar 19, 2018 02:53:11.150 PM { "error": "States.Runtime", "cause": "Internal Error (8b6bb8f7-a016-4752-be8a-ec4f70cc7127)" }
Thomas Heljula Sr. IT Administrator, Network O: 314.770.3482
[cid:[email protected]]
[cid:[email protected]]
Best in KLAS for Value-Based Care Managed Services – two years running.
[cid:[email protected]]
13900 Riverport Drive, Maryland Heights, MO 63043
lumeris.com
From: jpeezus [mailto:[email protected]] Sent: Monday, March 19, 2018 1:53 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
yes as long as you bootstrap file in the S3 bucket matches the password in the stack deployment it should work. Can you provide detail on when you changed the password? Did you launch the templates first then change the password?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374325692, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUeFkh1E8PGno7M0t0K0uqMzYgVryks5tf_6EgaJpZM4Swnwq.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_6-23issuecomment-2D374360527&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=diSUL5-7fXOwmktIWeSK8X_L7hs_NZAuGrqjBmOKBWY&s=g3wHRF6w4pQVqiiQmxeMIVQENnwxtFDZW591zI0xgEE&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaWBjexo3jeNLB5mgO7680b4qG2V5ks5tgBPigaJpZM4Swnwq&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=diSUL5-7fXOwmktIWeSK8X_L7hs_NZAuGrqjBmOKBWY&s=Q-ZuDpLGRETqx9ooSaUqIOR-1JyIIO_wtyFFcDCqEG8&e=.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374362311, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUQ5BYMW8YK1YNSB6teUwxf4jPbYQks5tgBTlgaJpZM4Swnwq.
ok...so you see firewalls but can't log into them, right?
The most common case for this that the bootstrapping has failed. How are you updating the bootstrap file?
As jpeezus points maybe you can try to deploy it without any changes first and then start updating bootstrap files?
OK I am restoring the original bootstrap file and will attempt again.
Thomas Heljula Sr. IT Administrator, Network O: 314.770.3482
[cid:[email protected]]
[cid:[email protected]]
Best in KLAS for Value-Based Care Managed Services – two years running.
[cid:[email protected]]
13900 Riverport Drive, Maryland Heights, MO 63043
lumeris.com
From: Narayan Iyengar [mailto:[email protected]] Sent: Monday, March 19, 2018 3:33 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
ok...so you see firewalls but can't log into them, right?
The most common case for this that the bootstrapping has failed. How are you updating the bootstrap file?
As jpeezus points maybe you can try to deploy it without any changes first and then start updating bootstrap files?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374364072, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUTPa8cnbJj9I8pg_c3B2Yfh9P8ztks5tgBXtgaJpZM4Swnwq.
I restored the original bootstrap file and have redeployed the cloudformation templates. All of them have reported create_complete. The PAGroup exists and it appears to be build the VPN connection for the subscriber VPC. However the state machine for the subscriber is failing and reporting timeout.
[cid:[email protected]]
15
LambdaFunctionScheduled FetchFromSubscriberQueue Lambda | CloudWatch logs 3036 Mar 20, 2018 07:48:31.666 AM 16 LambdaFunctionStarted FetchFromSubscriberQueue Lambda | CloudWatch logs 3064 Mar 20, 2018 07:48:31.694 AM 17 LambdaFunctionSucceeded FetchFromSubscriberQueue Lambda | CloudWatch logs 13465 Mar 20, 2018 07:48:42.095 AM 18 TaskStateExited FetchFromSubscriberQueue --- 13465 Mar 20, 2018 07:48:42.095 AM 19 ChoiceStateEntered ChoiceState --- 13481 Mar 20, 2018 07:48:42.111 AM { "name": "ChoiceState", "input": null } 20 ExecutionFailed --- 13481 Mar 20, 2018 07:48:42.111 AM { "error": "States.Runtime", "cause": "Internal Error (b750782e-27f2-4c4c-a86e-e693ff664679)" }
From: Narayan Iyengar [mailto:[email protected]] Sent: Monday, March 19, 2018 3:33 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
ok...so you see firewalls but can't log into them, right?
The most common case for this that the bootstrapping has failed. How are you updating the bootstrap file?
As jpeezus points maybe you can try to deploy it without any changes first and then start updating bootstrap files?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374364072, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUTPa8cnbJj9I8pg_c3B2Yfh9P8ztks5tgBXtgaJpZM4Swnwq.
Who is responsible for getting the “ConfigureSubscriberVpcVpn” action into the queue? That appears to be the next step and my state machine does not appear to be getting that message from the Lambda fetch. It is timing out. I see from the lamda documentation who starts the action, CloudTrailLambda, when it see the subscriberVpc=yes and send the Subscriber SNS the Action:CreateVpnConnection.
From: Narayan Iyengar [mailto:[email protected]] Sent: Monday, March 19, 2018 3:33 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
ok...so you see firewalls but can't log into them, right?
The most common case for this that the bootstrapping has failed. How are you updating the bootstrap file?
As jpeezus points maybe you can try to deploy it without any changes first and then start updating bootstrap files?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374364072, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUTPa8cnbJj9I8pg_c3B2Yfh9P8ztks5tgBXtgaJpZM4Swnwq.
On the same topic, I've deployed this about 10 time with non-default CIDRs and it only worked once (the first time). What I was typically seeing was that a CheckVPN (sorry, I didn't document exactly) message was stuck in the SQS queue and just like panama, the FWs and VPNs were built, but it never loaded the bootstrap. Not sure that it's related, but I finally just used the default CIDRs last night and everything came up fine. No stuck message in SQS, BUT both of the step functions reported errors.
I will give that a try.
From: cronq [mailto:[email protected]] Sent: Tuesday, March 20, 2018 9:01 AM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
On the same topic, I've deployed this about 10 time with non-default CIDRs and it only worked once (the first time). What I was typically seeing was that a CheckVPN (sorry, I didn't document exactly) message was stuck in the SQS queue and just like panama, the FWs and VPNs were built, but it never loaded the bootstrap. Not sure that it's related, but I finally just used the default CIDRs last night and everything came up fine. No stuck message in SQS, BUT both of the step functions reported errors.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374608097, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUbSr4T9mSTWa_cXpgxlWvw074FB6ks5tgQuDgaJpZM4Swnwq.
So I executed the templates with the default CIDRs and still cannot get beyond the subscriber CreateVpnConnection step. That step succeeds and pass the function back to Fetchfrom Queue. I assume the next message in the Queue that should be seen is ConfigureSubscriberVpcVpn action.
I subscribed to both Transit and Subscriber SNS queues. I do not receive any other message beyond that CreateVpnConnection action. Who delivers the next message to the queue for the step function to act on the ChoiceState?
From: cronq [mailto:[email protected]] Sent: Tuesday, March 20, 2018 9:01 AM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Thomas Heljula [email protected]; Author [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Password not working for PAGroup (#6)
CAUTION: This email originated from outside of Lumeris. Please do not open links or attachments unless you recognize the sender and know the content is safe. Please contact the Service Desk ([email protected]mailto:[email protected]) if you have any questions.
On the same topic, I've deployed this about 10 time with non-default CIDRs and it only worked once (the first time). What I was typically seeing was that a CheckVPN (sorry, I didn't document exactly) message was stuck in the SQS queue and just like panama, the FWs and VPNs were built, but it never loaded the bootstrap. Not sure that it's related, but I finally just used the default CIDRs last night and everything came up fine. No stuck message in SQS, BUT both of the step functions reported errors.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/PaloAltoNetworks/aws-transit-vpc/issues/6#issuecomment-374608097, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Aj0AUbSr4T9mSTWa_cXpgxlWvw074FB6ks5tgQuDgaJpZM4Swnwq.
Have you checked the screenshot in AWS EC2 of the PA instances when they are booting, and verified that they are bootstrapping successfully? You can check the userdata for the instances, and that should point to a S3 bucket. That bucket has to have specific "folders," including software and license, even if nothing is in them. If they don't, bootstrap won't work, it won't load the boostrap.xml, you won't be able to login to the firewalls, and nothing will work.
I would verify that you can successfully login to the firewalls, which indicates the bootstrap was successful and the password configured, before worrying about step functions and lambda code...
