- Newest
- Most votes
- Most comments
Hello.
I checked the health dashboard here and there were no failures.
I also confirmed that my AWS account can connect with AP-SouthEast-1.
https://health.aws.amazon.com/health/status
Please make sure that you meet the Session Manager requirements listed in the following document.
Probably no problem with OS or SSM Agent installation.
I would need to verify that EC2 is able to communicate with Systems Manager using NAT Gateway, VPC endpoints, etc.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html
Suddently lost connection with error message as below:
Connection error root-09da060d1b45e66a6
Your session has been terminated for the following reasons: ----------ERROR------- Setting up data channel with id root-09da060d1b45e66a6 failed: failed to create websocket for datachannel with error: CreateDataChannel failed with no output or error: createDataChannel request failed: unexpected response from the service Server authentication failed: <UnauthorizedRequest><message>Forbidden.</message></UnauthorizedRequest>
Relevant content
- asked 17 days ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
Thanks for your answer. I actually referred to the troubleshooting document you shared and checked around and didn't find any thing that could cause the issue. As I mentioned, I used the same Terraform script IN OTHER TWO REGIONS and it worked well. Maybe you can manually create an EC2 in ap-southeast-1, setup the IAM role necessary and try it?
My EC2 is set with outbound rule of allowing anything: #all outbound egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
EC2 is manually created and connected with the IAM policy you are using (AmazonSSMMManagedInstanceCore). By the way, is EC2 running on a private subnet? If you are running private, you will need to configure a NAT Gateway or VPC endpoint.
Thanks. Are you able to connect through Session Manager in ap-southeast-1 region? I can connect in other regions. I checked the documentation and I didn't see that NAT or VPC endpoint is needed. The documentation only mentioned that connectivity to endpoints are needed which I have ensured it through my outbound SG rule mentioned earlier. I have the same setup without NAT and VPC endpoint in the other two regions (ap-southeast-2 and us-west-1) and there was no issue to connect to the EC2 instances created in those regions.
Yes, I was able to connect to the EC2 started in ap-southeast-1 with Session Manager. A NAT Gateway or VPC endpoint is required when the EC2 is running on a private subnet. https://repost.aws/knowledge-center/ec2-systems-manager-vpc-endpoints I do not know whether the EC2 you are running is public or private, so you will have to do the checking yourself.
Three endpoints added and it is still not working after 10 minutes.