# Troubleshooting

> If you are an application developer, a service owner or an end-user of DiscrimiNAT tasked with getting new domain names working, this \<5m video is for you and covers the most common issue along with solutions.

### Video for End Users

If you are an application developer, a service owner or an end-user of DiscrimiNAT tasked with getting new domain names working, this \<5m video is for you and covers the most common issue along with solutions.

<iframe referrerpolicy="strict-origin-when-cross-origin" width="560" height="315" src="https://www.youtube.com/embed/OGillWaE9-k?si=4-Fb0BxVgQfg-w0o&rel=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

### Search for _warning_ messages from DiscrimiNAT

The firewall may have tried to warn you about an issue it can foresee. Use the following query in Logs Explorer (replacing _project name_ with one where DiscrimiNAT is deployed):

```
logName="projects/<google-cloud project name>/logs/discriminat-config"
jsonPayload.outcome="warning"
```

You may find a descriptive clue in the resultant log lines from the last few minutes/hours.

### There are no `discriminat-config` logs at all.

![](img/no-discriminat-config-log.gif)

#### Resolution

1. Check if the [service account](https://console.cloud.google.com/iam-admin/serviceaccounts) for DiscrimiNAT instances is enabled. It is the default Compute Engine account if DiscrimiNAT is deployed through the Marketplace directly. If deployed through Terraform, the default service account is the same unless overridden with the `custom_service_account_email` variable.
2. Check if the [Cloud Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/metrics) is enabled.

### Clients' network traffic sometimes allowed, sometimes not.

#### Resolution

Please upgrade the machine type from `e2-small` to `n2-highcpu-2`. This is done via the `machine_type` Terraform variable.

The `e2-small` machine type only suffices for light loads and a few clients. The `n2-highcpu-2` offers the best CPU to egress bandwidth and price ratios for the kind of work involved.

Use of `n2-standard-*` machine types is not recommended because the DiscrimiNAT is not a memory-intensive application, therefore making machines with more memory than needed not a cost-optimal choice.

### There are no `discriminat-flow` logs from certain clients.

Certain, or all, clients may not even be able to access the Internet in this case. Requests would be timing out instead of being quickly terminated with a reset.

#### Resolution

1. Check if the subnet, where the affected clients are, is allowed for ingress in a [firewall rule](https://console.cloud.google.com/networking/firewalls/list) named "discriminat-\<custom_deployment_id\>-from-clients".

If deployed via our Terraform module, additional subnets can be added to this firewall rule through the `client_cidrs` variable.

### _see-thru_ mode not working

If the `discriminat-config` logs do not show a log line picking up a _see-thru_ rule, you may have a problem with the annotation's implied syntax.

#### Resolution

The _see-thru_ mode requires a Firewall Rule (or the _see\_thru_ [default preference](/docs/discriminat/gcp/default-prefs/#see_thru)) to have a valid calendar date. For example, `discriminat:see-thru:2022-02-29` is NOT a valid date (because 2022 was not a leap year) but `discriminat:see-thru:2022-02-28` is.

### Service Projects' network traffic not going through

If the `discriminat-config` logs do not show log lines picking up VM Instances' IPs or other managed services' subnets from the Service Projects, you may have a problem with how the service account was configured.

#### Resolution

For Service Projects to work through the DiscrimiNAT, ensure that:

1. DiscrimiNAT is running with a custom service account. This is overridden with the `custom_service_account_email` variable in Terraform.
1. The Role to be associated with that service account is defined at the Organisation level in your Google Cloud and NOT at the Project level.
1. The IAM binding of the service account to that Role should be defined at the Folder† level (or the Organisation level) and NOT at the Project level.

† The chosen Folder should contain the Host project and all Service projects either directly or through subfolders.

For more details on the service account and the Role required, please see the [Service Account](/docs/discriminat/gcp/service-account/) page.