Knowledge Center Monthly Newsletter - March 2025

Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.

How do I resolve an internal error I receive when I activate my Storage Gateway?

8 minute read

I want to activate my gateway on AWS Storage Gateway, but I receive an internal error.

Resolution

Note:

Make sure that you use the latest Amazon Machine Image (AMI) version. If you don't use the latest AMI, then you receive an internal error.
Make sure that you choose the correct gateway type. The .ova files and AMIs for the gateway types are different and aren't interchangeable.

Public endpoint

If you use a public endpoint to activate your gateway, then take the following actions to resolve the issue.

Verify that you opened the required ports

For gateways that you deployed on-premises, check that the ports are open on your local firewall. For gateways that you deployed on an Amazon Elastic Compute Cloud (Amazon EC2) instance, check that the ports are open on the instance's security group. To confirm that the ports are open, run the ncport command from the Command Prompt menu of the Storage Gateway virtual machine (VM) local console.

The following example ncport commands test the connection to the required endpoints on port 443:

ncport -d d4kdq0yaxexbo.cloudfront.net -p 443
ncport -d storagegateway.region.amazonaws.com -p 443
ncport -d dp-1.storagegateway.region.amazonaws.com -p 443
ncport -d proxy-app.storagegateway.region.amazonaws.com -p 443
ncport -d client-cp.storagegateway.region.amazonaws.com -p 443
ncport -d anon-cp.storagegateway.region.amazonaws.com -p 443

Note: In the preceding commands, replace region with the AWS Region where you want to activate the gateway.

To confirm that the gateway can reach the endpoint, access the gateway's local VM console or use SSH to connect to the gateway's instance. Then, run a network connectivity test. Confirm that the test returns [PASSED] for all the endpoints.

Note: The default username for the gateway local console is admin, and the default password is password.

Confirm that a firewall security doesn't modify the packets that are sent from the gateway to the public endpoints

The firewall security might be an SSL inspection, deep packet inspection, or another type of firewall security. If you modify the SSL certificate from what the activation endpoint expects, then the SSL handshake fails.

To confirm that an SSL inspection isn't in progress, run the sslcheck command on the main activation endpoint, anon-cp.storagegateway.region.amazonaws.com. Run the command on port 443 from the Command Prompt menu of the VM local console:

sslcheck -d anon-cp.storagegateway.region.amazonaws.com -p 443

Note: In the preceding command, replace region with the Region where you want to activate the gateway.

If an SSL inspection isn't in progress, then the command returns a response that's similar to the following example:

sslcheck -d anon-cp.storagegateway.us-east-1.amazonaws.com -p 443

subject=/CN=anon-cp.storagegateway.us-east-1.amazonaws.com
issuer=/C=US/O=Amazon/CN=Amazon RSA 2048 M02

If an SSL inspection is in progress, then the response shows an altered certificate that's similar to the following example:

sslcheck -d anon-cp.storagegateway.us-east-1.amazonaws.com -p 443

subject=CN=anon-cp.storagegateway.us-east-1.amazonaws.com
issuer:/C=US/O=Company/CN=Admin

The activation endpoint accepts SSL handshakes only when it recognizes the SSL certificate. The gateway's outbound traffic to the endpoints must be exempt from inspections that the firewalls in your network perform.

Confirm that your gateway correctly synchronizes time

Excessive time skews might cause SSL handshake errors. Use the gateway's local VM console to check your gateway's time synchronization. The time skew can't be larger than 60 seconds. To synchronize the gateway VM time with the NTP time, the gateway VM needs access to the following NTP servers:

0.amazon.pool.ntp.org
1.amazon.pool.ntp.org
2.amazon.pool.ntp.org
3.amazon.pool.ntp.org

Note: The System Time Management option isn't available on gateways that are hosted on an EC2 instance.

For gateways that are hosted on an EC2 instance, check the gateway health logs for a GatewayClockOutOfSync error. If you see this error, then contact AWS Support.

Amazon VPC endpoint

If you use an Amazon Virtual Private Cloud (Amazon VPC) endpoint to activate your gateway, then take the following actions to resolve the issue.

Verify that you opened the required ports

Verify that you opened the required ports within your local firewall for gateways that you deploy on-premises or security group for gateways that you deploy in Amazon EC2. The ports to connect a gateway to a Storage Gateway VPC endpoint differ from the ports to connect a gateway to public endpoints. You must use ports TCP 443, TCP 1026, TCP 1027, TCP 1028, TCP 1031, and TCP 2222 to connect to a Storage Gateway VPC endpoint.

Also, check the security group that's attached to your Storage Gateway VPC endpoint. The default security group might not allow the required ports. Create a new security group that allows traffic from your gateway's IP address range over the required ports. Then, attach the new security group to the VPC endpoint.

Note: To verify the security group that's attached to the VPC endpoint, open the Amazon VPC console, and then choose the Security Groups tab.

To confirm that the required ports are open, run ncport commands on the Storage Gateway VPC endpoint. Run the command from the Command Prompt menu of the Storage Gateway VM local console. Perform the tests on the first DNS name that doesn't specify an Availability Zone.

The following example ncport commands test the required port connections with the DNS name vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.us-east-1.vpce.amazonaws.com:

ncport -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 443
ncport -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 1026
ncport -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 1027
ncport -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 1028
ncport -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 1031
ncport -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 2222

Confirm that the gateway can reach the VPC endpoint on the required ports. Access the gateway's local VM console or use SSH to connect to the gateway's instance. Then, run a network connectivity test. Confirm that the test returns [PASSED] for all the endpoints.

Note: The default username for the gateway local console is admin, and the default password is password.

Confirm that a firewall security doesn't modify packets that are sent from the gateway to your Storage Gateway VPC endpoint

The firewall security might be an SSL inspection, deep packet inspection, or another type of firewall security. When you modify the SSL certificate from what the activation endpoint expects, the SSL handshake fails.

To confirm that an SSL inspection isn't in progress, run an OpenSSL command on your Storage Gateway VPC endpoint. You must run the command from a machine that's in the same subnet as the gateway. Run the command for each required port:

sslcheck -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 443
sslcheck -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 1026
sslcheck -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 1027
sslcheck -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 1028
sslcheck -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 1031
sslcheck -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.region.vpce.amazonaws.com -p 2222

If an SSL inspection isn't in progress, then the command returns a response that's similar to the following example:

sslcheck -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.us-east-1.vpce.amazonaws.com -p 1027

subject=/CN=storagegateway.us-east-1.amazonaws.com
issuer=/C=US/O=Amazon/CN=Amazon RSA 2048 M02

If an SSL inspection is in progress, then the response shows an altered certificate chain that's similar to the following example:

sslcheck -d vpce-1234567e1c24a1fe9-62qntt8k.storagegateway.us-east-1.vpce.amazonaws.com -p

subject=CN=anon-cp.storagegateway.us-east-1.amazonaws.com
issuer:/C=US/O=Company/CN=Admin

The activation endpoint accepts SSL handshakes only when the endpoint recognizes the SSL certificate. The gateway's outbound traffic to your VPC endpoint over required ports is exempt from inspections that your network firewalls perform.

Confirm that your gateway correctly synchronizes time

0.amazon.pool.ntp.org
1.amazon.pool.ntp.org
2.amazon.pool.ntp.org
3.amazon.pool.ntp.org

Note: The System Time Management option isn't available on gateways that are hosted on an EC2 instance.

For gateways that are hosted on an EC2 instance, check the gateway health logs for a GatewayClockOutOfSync error. If you see this error, then contact AWS Support.

Check whether you configured an HTTP proxy on Amazon EC2

Before activation, use the on-premises gateway VM to check whether you configured an HTTP proxy on Amazon EC2 as a Squid proxy on port 3128. The security group that's attached to the HTTP proxy on Amazon EC2 must have an inbound rule. The inbound rule must allow Squid proxy traffic on port 3128 from the gateway VM's IP address. The security group that's attached to the Storage Gateway VPC endpoint also must have inbound rules. The inbound rules must allow traffic on ports 1026-1028, 1031, 2222, and 443 from the IP address of the HTTP proxy on Amazon EC2.

Public endpoint with a Storage Gateway VPC endpoint in the same VPC

Confirm that the Enable Private DNS Name setting is turned off on your Storage Gateway VPC endpoint. If this setting is turned on, then you can't activate gateways from the VPC to the public endpoint.

To turn off the private DNS name option, complete the following steps:

Open the Amazon VPC console.
In the navigation pane, choose Endpoints.
Select your Storage Gateway VPC endpoint.
Choose Actions, and then choose Manage Private DNS Names.
For Enable Private DNS Name, clear Enable for this Endpoint.
Choose Modify Private DNS Names to save the setting.

Related information

Access an AWS service using an interface VPC endpoint

Topics

Storage

Relevant content

Do I need to reboot an EC2 instance that has been updated via 'yum update' first before making an AMI image of it?
Viridios
asked 2 years ago
When do you upgrade RDS machine size?
Accepted Answer
rePost-User-4712252
asked 2 years ago
Trying to activate file gateway - getting 'internal error'
rePost-User-9130985
asked 2 years ago
How do you configure cache storage for storage gateway?
Accepted Answer
Jax
asked 5 months ago
Migrating an EC2 Amazon Machine Image (AMI) from Amazon Linux 2 to the latest Amazon Linux version 2023
nmos
asked a year ago
Why do I get the error "The snapshot is currently in use by an AMI" when I try to delete my EBS snapshot?
AWS OFFICIALUpdated 8 months ago
How do I resolve errors that I receive when I create an Amazon EBS volume from a snapshot?
AWS OFFICIALUpdated 2 months ago
How do I resolve errors that I receive when I use the Apache Airflow CLI in an MWAA environment?
AWS OFFICIALUpdated a year ago
How do I make sure that Amazon ECS uses the latest container instance image digest during deployments?
AWS OFFICIALUpdated 2 months ago
Why do I get an error "The snapshot is currently in use by AMI" when I try to delete an EBS snapshot, even though there is no AMI on the account?
EXPERT
Dnyaneshwar Bhosale DB
published a year ago