Missing AWS IAM role on PA-VM instance resulting in HA failure
8087
Created On 03/18/20 15:20 PM - Last Modified 04/06/20 17:25 PM
Symptom
Upon HA failover, the newly active firewall instance cannot pass traffic as dataplane interfaces are down. Looking up on the AWS end, you will notice the Elastic Network Interfaces (ENI’s) did not transfer to newly active firewall instance despite having Internet connectivity.
- Review Plugin logs to understand and verify the failure events on the active firewall:
>less mp-log pan_vm_plugin.log
2020-01-29 14:19:34.503 -0800 vm_ha_state_trans INFO: : AWS get_meta_data succeedeed
2020-01-29 14:19:34.647 -0800 vm_ha_state_trans INFO: : Local instance:i-04f41d74e42fa8d32 Remote instance:i-095c5a11b86c2ea5a
2020-01-29 14:19:34.648 -0800 vm_ha_state_trans INFO: : EC2 get interface info failed for instance-id:i-095c5a11b86c2ea5a
Unable to locate credential
2020-01-29 14:19:34.647 -0800 vm_ha_state_trans INFO: : Local instance:i-04f41d74e42fa8d32 Remote instance:i-095c5a11b86c2ea5a
2020-01-29 14:19:34.648 -0800 vm_ha_state_trans INFO: : EC2 get interface info failed for instance-id:i-095c5a11b86c2ea5a
Unable to locate credential
- Above log snippet shows API calls made by the VM-Series plugin to AWS EC2 services failed due to invalid credentials.
Environment
- Platform: PA-VM
- PAN-OS / Plugin Version: 8.1.5 / -
- Deployment: AWS
Cause
- Lack of access privileges (IAM role) to the VM-Series instance in order to make API call to AWS EC2 services for moving ENI’s to newly active device
Resolution
- Create IAM role under below path and ensure it has following privileges:
IAM > Roles > Create Role
- Attach above IAM role to the VM-Series instance:
EC2 > Instances > Click on instance > Action > Instance Settings > Attach/Replace IAM Role