Why am I receiving a "Failed to authenticate with service" error in my Application Migration Service replication server?

Short description

After booting the replication server, it must be able to reach the following Regional AWS endpoints:

• Application Migration Service endpoint
• Amazon Elastic Compute Cloud (Amazon EC2) endpoint
• Amazon Simple Storage Service (Amazon S3) endpoint

If communication to any of these endpoints fails, you see the error message "Failed to authenticate with service" during initial data replication.

For more information, see Communication between the staging area subnet and AWS Application Migration Service over port 443.

Resolution

To begin troubleshooting this issue, view the terminated replication server's system log output. Using the log data, determine which of the preceding endpoints the server is failing to communicate with. To do this, use the following steps:

1.    Open the EC2 console.

2.    Select the terminated replication instance (the Application Migration Service replication server) on the EC2 dashboard.

3.    Then choose Actions, Monitor and troubleshoot, Get system log.

4.    Analyze the system log for connection attempts to S3 with connectivity errors.

5.    If S3 connectivity is working, analyze the log further for Unable to reach MGN or Unable to reach EC2 errors.

6.    If the terminated replication server isn't available, then create or use an EC2 instance. Make sure that the instance uses the same settings (virtual private cloud (VPC), subnet, security groups) as the replication server.

7.    Perform network connectivity tests using a utility such as telnet. You can use a tool other than telnet, if needed. The following are example commands for testing with telnet. In the following examples, adjust the endpoints for your AWS Region to make sure that TCP communication is working.

telnet mgn.<region>.amazonaws.com 443

telnet ec2.<region>.amazonaws.com 443

telnet s3.<region>.amazonaws.com 443

8.    If any of the tests are failing, then do the following:

• Make sure that your security groups, network access control list, and route table allow access to the endpoints through TCP port 443.
• For VPC interface endpoints for Amazon EC2 or Application Migration Service: Make sure that the security group attached to the interface endpoints allows inbound TCP port 443 access from your staging area subnet.
• For S3 access in subnets with no internet access: Make sure that you use an S3 gateway endpoint. The replication server can't utilize an S3 VPC interface endpoint because the S3 links it accesses aren't adjusted with your VPC endpoint interface ID.
• For custom DHCP option sets for DNS resolution in the subnet: Make sure that the DNS servers with custom DHCP option sets can resolve the endpoints listed in the preceding Short description.
• If you're routing traffic through a firewall: Make sure that the firewall isn't blocking traffic from the replication servers to the endpoints.
• If you're using an internet gateway for internet access: Make sure you selected Create public IP in the replication settings. The replication server must have a public IP address to communicate with the endpoints.