Troubleshooting
Video for End Usersβ
If you are an application developer, a service owner or an end-user of DiscrimiNAT tasked with getting new domain names working, this <5m video is for you and covers the most common issue along with solutions.
Search for warning messages from DiscrimiNATβ
The firewall may have tried to warn you about an issue it can foresee. Use the following query in Logs Explorer (replacing project name with one where DiscrimiNAT is deployed):
logName="projects/<google-cloud project name>/logs/discriminat-config"
jsonPayload.outcome="warning"
You may find a descriptive clue in the resultant log lines from the last few minutes/hours.
There are no discriminat-config
logs at all.β
Resolutionβ
- Check if the service account for DiscrimiNAT instances is enabled. It is the default Compute Engine account if DiscrimiNAT is deployed through the Marketplace directly. If deployed through Terraform, the default service account is the same unless overridden with the
custom_service_account_email
variable. - Check if the Cloud Logging API is enabled.
Clients' network traffic sometimes allowed, sometimes not.β
Resolutionβ
Please upgrade the machine type from e2-small
to n2-highcpu-2
. This is done via the machine_type
Terraform variable.
The e2-small
machine type only suffices for light loads and a few clients. The n2-highcpu-2
offers the best CPU to egress bandwidth and price ratios for the kind of work involved.
Use of n2-standard-*
machine types is not recommended because the DiscrimiNAT is not a memory-intensive application, therefore making machines with more memory than needed not a cost-optimal choice.
There are no discriminat-flow
logs from certain clients.β
Certain, or all, clients may not even be able to access the Internet in this case. Requests would be timing out instead of being quickly terminated with a reset.
Resolutionβ
- Check if the subnet, where the affected clients are, is allowed for ingress in a firewall rule named "discriminat-<custom_deployment_id>-from-clients".
If deployed via our Terraform module, additional subnets can be added to this firewall rule through the client_cidrs
variable.
see-thru mode not workingβ
If the discriminat-config
logs do not show a log line picking up a see-thru rule, you may have a problem with the annotation's implied syntax.
Resolutionβ
The see-thru mode requires a Firewall Rule (or the see_thru default preference) to have a valid calendar date. For example, discriminat:see-thru:2022-02-29
is NOT a valid date (because 2022 was not a leap year) but discriminat:see-thru:2022-02-28
is.
Service Projects' network traffic not going throughβ
If the discriminat-config
logs do not show log lines picking up VM Instances' IPs or other managed services' subnets from the Service Projects, you may have a problem with how the service account was configured.
Resolutionβ
For Service Projects to work through the DiscrimiNAT, ensure that:
- DiscrimiNAT is running with a custom service account. This is overridden with the
custom_service_account_email
variable in Terraform. - The Role to be associated with that service account is defined at the Organisation level in your Google Cloud and NOT at the Project level.
- The IAM binding of the service account to that Role should be defined at the Folderβ level (or the Organisation level) and NOT at the Project level.
β The chosen Folder should contain the Host project and all Service projects either directly or through subfolders.
For more details on the service account and the Role required, please see the Service Account page.