Skip to main content

Troubleshooting

Video for End Users

If you are an application developer, a service owner or an end-user of DiscrimiNAT tasked with getting new domain names working, this <5m video is for you and covers the most common issue along with solutions.

Search for warning messages from DiscrimiNAT

The firewall may have tried to warn you about an issue it can foresee. Search for {$.outcome = "warning"} in CloudWatch -> Log Groups -> DiscrimiNAT -> config log stream. You may find a descriptive clue in the resultant log lines from the last few minutes/hours.

Elastic IPs not attached to DiscrimiNAT VMs

If a Public IP is not found attached to a DiscrimiNAT instance, it will look for any allocated but unassociated Elastic IPs that have a tag-key named discriminat (set to any value.) One of such Elastic IPs will be attempted to be associated with itself then.

An EC2 VPC Endpoint is needed in DiscrimiNAT's subnets for this mechanism to work though – since making the association needs access to the EC2 API. See the Terraform or CloudFormation examples.

The IAM permissions needed to do this are already a part of our Terraform modules and CloudFormation templates.

Logs not appearing in CloudWatch

It could be one of these three potential issues:

  1. DiscrimiNAT VMs do not have an Elastic IP associated.

  2. There is a logs VPC endpoint in the VPC but not in the subnets where DiscrimiNAT is deployed.

  3. From v2.5.0 onwards of DiscrimiNAT, the CloudWatch log group name changed from discrimiNAT to DiscrimiNAT. While we're working on getting the permissions updated on the AWS Marketplace deployment templates, please ensure the IAM Policy for DiscrimiNAT has the right capitalisation for DiscrimiNAT log group.

Clients' network traffic sometimes allowed, sometimes not.

Resolution

Please upgrade the instance size from t3.small to c6a.large or c6i.large. This is done via the instance_size Terraform variable.

The t3.small instance size only suffices for light loads and a few clients. The c6 series offers the best CPU to egress bandwidth and price ratios for the kind of work involved.

Use of other instance size classes, such as m and r, is not recommended because the DiscrimiNAT is not a memory-intensive application, therefore making machines with more memory than needed not a cost-optimal choice.

see-thru mode not working

If the config logs do not show a log line picking up a see-thru rule, you may have a problem with the annotation's implied syntax.

Resolution

The see-thru mode requires a Security Group Outbound Rule (or the see_thru default preference) to have a valid calendar date. For example, discriminat:see-thru:2022-02-29 is NOT a valid date (because 2022 was not a leap year) but discriminat:see-thru:2022-02-28 is.