Troubleshooting firewall endpoint failures in AWS Network Firewall
If Network Firewall can't create or delete a firewall endpoint in the subnet because of an error, the service displays a status message describing how to resolve the issues. Use the status message in the console, API, or CLI to troubleshoot the issues causing the endpoint failure. Depending on the issue, it can take as many as 15 minutes for Network Firewall to display the status message.
The following table lists the possible causes of the error or failure as indicated in the Network Firewall
console or the StatusMessage parameter in the API or CLI. Errors indicate an error that you can take actions to fix. Failures indicate a non-recoverable failed state. For errors, after you apply any of the remedial steps, Network Firewall automatically attempts to complete creation or deletion of the firewall.
| Firewall endpoint status | Reason for error or failure | Cause | Solution |
|---|---|---|---|
| Error | AWS Key Management Service encryption key misconfigured |
The specified AWS KMS encryption key either doesn't exist in the Region, or you aren't allowed to access it. |
Either update the encryption configuration with a new key or delete the firewall. For information about using encryption keys with Network Firewall, see Encryption at rest with AWS Key Management Service. |
| Error | Endpoint tag removed |
Network Firewall can't access the endpoint because the
|
Add the |
| Error | Invalid chain of trust |
The firewall's TLS inspection configuration contains a certificate with an invalid chain of trust. |
Replace the certificate with a valid certificate. |
| Error | Invalid root certificate |
The firewall's TLS inspection configuration contains a certificate that Network Firewall can't validate. Network Firewall can't validate cross-signed root certificates, such as Let's Encrypt certificates. For more information, see Using SSL/TLS certificates with TLS inspection configurations in AWS Network Firewall. |
Replace the certificate with a valid certificate. |
| Error | IP limit exceeded |
You've reached the quota of IPv4 or IPv6 CIDR blocks per VPC. For information about CIDR block limits per VPC, see Amazon VPC quotas in the Amazon VPC User Guide. |
Either choose a different VPC or reduce the number of CIDR blocks associated with the VPC, and try again. For information about disassociating CIDR blocks, see Work with VPCs in the Amazon VPC User Guide. |
| Error | Subnet deleted |
The specified subnet has been deleted. Your firewall must refer to an existing subnet. |
Enter an existing subnet and try again. |
| Error |
Subnet invalid IP address type |
Network Firewall can't create a VPC endpoint containing the specified subnet because the subnet is associated with an IPv6 CIDR block that was removed from the firewall. |
Do one of the following actions:
|
| Failed | VPC deleted |
The firewall is associated with a VPC that's been deleted. |
Delete this firewall, and then create a new firewall using an existing VPC. For information about how to delete a firewall, see Deleting a firewall in AWS Network Firewall. |
| Error | VPCE limit exceeded |
You've reached the quota of VPC endpoints you can have per VPC. For information about the VPC endpoint limits, see Amazon VPC quotas in the Amazon VPC User Guide. |
Either delete the VPC endpoint, or delete the firewall and then create the endpoint using another VPC. For information about creating or deleting endpoints, see Work with VPCs in the Amazon VPC User Guide. |
| Error |
VPCE reference exists |
You can't delete the firewall because the specified firewall endpoint is associated to a VPC route table. |
Remove the firewall endpoint from your route table and try again. For information about route tables, see Configure route tables in the Amazon VPC User Guide. |
