Dieser Inhalt ist in der ausgewählten Sprache nicht verfügbar

Wir arbeiten ständig daran, Inhalte in der ausgewählten Sprache bereitzustellen. Vielen Dank für deine Geduld.

How do I resolve the "RequestError: send request failed caused by: Post https://ssm.RegionID.amazonaws.com/: dial tcp IP:443: i/o timeout" SSM Agent log error?

Lesedauer: 2 Minute

I'm trying to register my Amazon Elastic Compute Cloud (Amazon EC2) instance as a managed instance with AWS Systems Manager. However, the instance fails to register and I receive a TCP timeout error message similar to the following: "RequestError: send request failed caused by: Post https://ssm.RegionId.amazonaws.com/: dial tcp IP:443: i/o timeout" Why does registration fail, and how do I troubleshoot this error?

Short description

The TCP timeout error indicates that one of the following issues is preventing the instance from registering:

The instance is in a private subnet and uses the Systems Manager virtual private cloud (VPC) endpoint and a custom DNS server.
The instance is in a private subnet and doesn't have access to the internet or to the Systems Manager endpoints.
The instance is in a public subnet. The VPC security groups and network access control lists (network ACLs) aren't configured to allow outbound connections to the Systems Manager endpoints on port 443.
The instance is behind a proxy, but SSM Agent isn't configured to communicate through an HTTP proxy and can't connect to the instance metadata server.

You can view the TCP timeout error in the SSM Agent log on your instance located at the following paths:

Linux and macOS

/var/log/amazon/ssm/amazon-ssm-agent.log

/var/log/amazon/ssm/errors.log

Windows

%PROGRAMDATA%\Amazon\SSM\Logs\amazon-ssm-agent.log

%PROGRAMDATA%\Amazon\SSM\Logs\errors.log

Resolution

Instance in private subnet using Systems Manager endpoint and a custom DNS

VPC endpoints only support Amazon-provided DNS through Amazon Route 53. To use your own DNS server, try one of the following:

Use the conditional forwarder in your custom DNS server to forward any query for the domain amazonaws.com to the default VPC DNS resolver. For more information, see DHCP options sets.
Set up the Route 53 resolver to resolve the DNS queries between the VPC and your network.

Instance can't connect to the Systems Manager endpoints

-or-

VPC security groups and network ACL aren't configured to allow outbound connections on port 443

-or-

The instance is behind a proxy and can't connect to the instance metadata service

For troubleshooting steps, see Why is my EC2 instance not appearing under Managed Instances in the Systems Manager console?

Related information

Create a Virtual Private Cloud endpoint

Themen

Management & Unternehmensführung

Relevanter Inhalt

Warum überträgt der einheitliche CloudWatch-Agent meine Metriken oder Log-Ereignisse nicht an CloudWatch?
AWS OFFICIALAktualisiert vor einem Jahr
Wie behebe ich Probleme beim Einrichten von Cluster-Autoscaler auf einem Amazon-EKS-Cluster?
AWS OFFICIALAktualisiert vor einem Monat
Warum erreicht mein VPC-CNI-Plugin den API-Server in Amazon EKS nicht?
AWS OFFICIALAktualisiert vor einem Jahr
Wie erhalte ich SSM-Agent-Protokolle für Fargate-Aufgaben, bei denen Amazon ECS Exec aktiviert ist?
AWS OFFICIALAktualisiert vor 4 Monaten