Skip to main content

Troubleshooting

Video for End Users​

If you are an application developer, a service owner or an end-user of DiscrimiNAT tasked with getting new domain names working, this <5m video is for you and covers the most common issue along with solutions.

Search for warning messages from DiscrimiNAT​

The firewall may have tried to warn you about an issue it can foresee. Use the following query in Logs Explorer (replacing project name with one where DiscrimiNAT is deployed):

logName="projects/<google-cloud project name>/logs/discriminat-config"
jsonPayload.outcome="warning"

You may find a descriptive clue in the resultant log lines from the last few minutes/hours.

There are no discriminat-config logs at all.​

Resolution​

  1. Check if the service account for DiscrimiNAT instances is enabled. It is the default Compute Engine account if DiscrimiNAT is deployed through the Marketplace directly. If deployed through Terraform, the default service account is the same unless overridden with the custom_service_account_email variable.
  2. Check if the Cloud Logging API is enabled.

Clients' network traffic sometimes allowed, sometimes not.​

Resolution​

Please upgrade the machine type from e2-small to n2-highcpu-2. This is done via the machine_type Terraform variable.

The e2-small machine type only suffices for light loads and a few clients. The n2-highcpu-2 offers the best CPU to egress bandwidth and price ratios for the kind of work involved.

Use of n2-standard-* machine types is not recommended because the DiscrimiNAT is not a memory-intensive application, therefore making machines with more memory than needed not a cost-optimal choice.

There are no discriminat-flow logs from certain clients.​

Certain, or all, clients may not even be able to access the Internet in this case. Requests would be timing out instead of being quickly terminated with a reset.

Resolution​

  1. Check if the subnet, where the affected clients are, is allowed for ingress in a firewall rule named "discriminat-<custom_deployment_id>-from-clients".

If deployed via our Terraform module, additional subnets can be added to this firewall rule through the client_cidrs variable.

see-thru mode not working​

If the discriminat-config logs do not show a log line picking up a see-thru rule, you may have a problem with the annotation's implied syntax.

Resolution​

The see-thru mode requires a Firewall Rule (or the see_thru default preference) to have a valid calendar date. For example, discriminat:see-thru:2022-02-29 is NOT a valid date (because 2022 was not a leap year) but discriminat:see-thru:2022-02-28 is.

Service Projects' network traffic not going through​

If the discriminat-config logs do not show log lines picking up VM Instances' IPs or other managed services' subnets from the Service Projects, you may have a problem with how the service account was configured.

Resolution​

For Service Projects to work through the DiscrimiNAT, ensure that:

  1. DiscrimiNAT is running with a custom service account. This is overridden with the custom_service_account_email variable in Terraform.
  2. The Role to be associated with that service account is defined at the Organisation level in your Google Cloud and NOT at the Project level.
  3. The IAM binding of the service account to that Role should be defined at the Folder† level (or the Organisation level) and NOT at the Project level.

† The chosen Folder should contain the Host project and all Service projects either directly or through subfolders.

For more details on the service account and the Role required, please see the Service Account page.