-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error occurred when starting amazon-ssm-agent: Failed to fetch region. Data from vault is empty #48
Comments
I'm struggling with this too. The same AMI in a different VPC doesn't seem to be effected. I haven't the fuzziest idea why as everything else in both VPCs is fine. |
What i found initialy was that the Image which i created was on one VPC but based on that image istarted new machine in different VPC. |
That's basically what happened with me. We built an image in our dev VPC
and promoted it to our staging VPC where it's route table no longer made
sense. (dev is 10.4.x.x and staging is 10.40.x.x). Changing the route to
the right subnet fixed everything.
I feel like this used to work on the pre-Server2016 base AMIs. Perhaps this
is part of the new EC2Launch configs?
…On May 4, 2017 5:46 PM, "Rati Dzidziguri" ***@***.***> wrote:
What i found initialy was that the Image which i created was on one VPC
but based on that image istarted new machine in different VPC.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#48 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABfi-3t3Fubgjh8SPjhU-c4KgOgS2aIXks5r2nF_gaJpZM4NL73L>
.
|
No question about it, this is a bug with SSMAgent on windows. I have a system that relies on user data for configuration details and the application is unable to start without this config. When i create an AMI of an instance in say AZ us-west-2a, and attempt to use it in an autoscale group where us-west-2b and us-west-2c are also possible AZs, only instances that scale out in us-west-2a will work. AZ b and c will fail with the errors that started this thread. Splunking through the ec2launch logs, i can see it binding 169.254.169.254 to the subnet associated with AZ a. The binding shows success, and since it doesn't exist, it won't ever be reachable. |
Thank you for posting here. Our team is investigating this issue and will provide you with a fix or ETA. |
Just as a follow up to my resolution above, we now run Another part of the puzzle for us was that because we use autologon to get a user session on these instances, |
@liath Can you elaborate what kind of route table changes you needed to do. |
@yogeshdengle Copying the routing table from a working instance in the same VPC should fix things but like I said in my last comment, running |
UPDATE - After doing some tests and viewing the logs on the instance, we can see that InitializeInstance.ps1 does run on boot, regardless of if it is from Amazon AMI or one that you created. InitializeInstance.ps1 does all of the work in Correct-Routes.ps1, so there is no need to duplicate. What is strange is that you can see the routes being updated to the wrong gateway in the log, so when you access the instance for the first time (via RDP) and run netstat -rn, they point to the gateway for the subnet that the AMI was baked from (the source instance). Both InitializeInstance.ps1 (which ran first) and Correct-Routes.ps1 (which ran second) added the wrong routes to the routing table on the instance. Just some history:
For example, the subnet of the source instance (AMI) is 10.0.20.0, but the subnet of the launched instance is 10.0.12.0. Here are the log entries: And here are the log entries after connecting to the instance via RDP and manually running Correct-Routes.ps1: Will continue testing and figuring this out and report back. |
The behavior described by NJITman is expected behavior on current EC2Launch. EC2Lauch is executed at first launch and will not be executed on further instance start unless explicitly schedule it. This means explicit routes to meta-data and KMS servers are not updated between instance start/stop. If you create an image from an instance without re-schedule EC2Launch, EC2Launch will not be executed on launched instances from the image. It means launched instances may not have correct route to meta-data or KMS servers. To prevent this, you should sysprep the instance or re-schedule EC2Launch to execute it at next launch on the instance by executing '.\InitializeInstance.ps1 -Schedule' before creating an image. See our public document for more information about EC2Launch: |
Please reopen this issue if you have any further questions. |
Recently i initiated new EC2 machine which had some issues starting SSM agent it is windows server 2016 machine. and whenever i try to start iSSM service it fails i looked inside logs and what I see there is. the following errors.
2017-04-28 20:24:14 ERROR [Execute @ agent_windows.go.169] Failed to start agent. Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2017-04-28 20:24:51 ERROR [NewCoreManager @ coremanager.go.63] error fetching the region, Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2017-04-28 20:24:51 ERROR [start @ agent.go.61] error occured when starting core manager: Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2017-04-28 20:24:51 ERROR [Execute @ agent_windows.go.169] Failed to start agent. Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2017-04-28 20:25:28 ERROR [NewCoreManager @ coremanager.go.63] error fetching the region, Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2017-04-28 20:25:28 ERROR [start @ agent.go.61] error occured when starting core manager: Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2017-04-28 20:25:28 ERROR [Execute @ agent_windows.go.169] Failed to start agent. Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2017-04-28 20:26:05 ERROR [NewCoreManager @ coremanager.go.63] error fetching the region, Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2017-04-28 20:26:05 ERROR [start @ agent.go.61] error occured when starting core manager: Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2017-04-28 20:26:05 ERROR [Execute @ agent_windows.go.169] Failed to start agent. Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
instance information is not displayed on desktop as well.
I Tried to reinstall agent but got the same error. so there might be something wrong with it.
The text was updated successfully, but these errors were encountered: