Troubleshooting AWS SMS - AWS Server Migration Service

Troubleshooting AWS SMS

The following information can help you troubleshoot issues with errors that you might encounter when using AWS SMS. Before using these procedures, confirm that your SMS setup and the server you are trying to migrate meet the requirements in Server Migration Service (SMS) Requirements.

Failure When Registering the Connector

If you encounter an issue registering the connector, contact

Certificate Error When Uploading a VM to Amazon S3

The connector may fail to replicate your VM because the VM is on an ESXi host with an SSL certificate problem. If this occurs, you see the following error message displayed in the Latest run's status message section: "ServerError: Failed to upload base disk(s) to S3. Please try again. If this problem persists, please contact AWS Support: vSphere certificate hostname mismatch: Certificate for <> doesn't match any of the subject alternative names: [localhost.localdomain]."

You can override this ESXi host certificate problem by completing the following tasks:

Upgrade Your Connector

This section is for customers who are manually upgrading the connector. If you have previously configured automatic upgrades, skip these steps and continue to Re-Register Your Connector.

To upgrade your connector

  1. Open the connector console.

  2. Log in to the connector.

  3. Choose Upgrade.

  4. Wait for the connector to finish upgrading to version or later.

Re-Register Your Connector

This section applies to all customers encountering the certificate mismatch problem.

To re-register your connector

  1. Open the connector console.

  2. Log in to the connector.

  3. In the General Health section, check that the connector version is or later.

  4. Choose Edit AWS Server Migration Service Settings.

  5. On the Setup page, for AWS Region, select the desired region from the list. For AWS Credentials, enter the IAM access key and secret key that you created in Step 2 of the setup guide. Choose Next.

  6. On the vCenter Service Account page, enter the vCenter hostname, user name, and password that you created in Step 3 of the setup guide.

  7. Select the Ignore hostname mismatch and expiration errors for vCenter and ESXi certificates check box. Choose Next.

  8. Complete registration and view the connector configuration dashboard.

  9. In the AWS SMS console, delete and restart your stuck replication jobs.

Server Migration Connector Fails To Connect To AWS with Error "PKIX path building failed"

In some customer environments, secure network traffic is proxied through a certificate re-signing mechanism for auditing and management purposes. This can cause your AWS credentials to fail when the connector attempts to contact AWS SMS. The error message contains "PKIX path building failed," indicating that an invalid certificate was presented.

For the connector to work in such an environment, the re-signing certificate (a user certificate that your organization trusts and uses to sign outbound packets) must be added to the connector's trust store, as described in the following steps.

To add the re-signing certificate to the connector trust store

  1. On your connector system, disable the FreeBSD packet filter and enable SSH with the following commands:

    sudo service pf stop sudo service sshd onestart
  2. Copy your user certificate to the connector by a method such as the following:

    scp userCertFile ec2-user@
  3. Add the user certificate to the trust store:

    keytool -importcert -keystore /usr/local/amazon/connector/config/jetty/trustStore -storepass AwScOnNeCtOr -file /tmp/userCertFileName -alias userCertName
  4. Restart services using the following command (part of AWS Management Portal for vCenter):

    sudo setup.rb

    Select option 3 and type "yes".

  5. Re-enable the packet filter:

    sudo service pf start

This CA Root certificate is not trusted

When you access the IP address of a virtual machine that you installed on-premises, you may receive the following message:

This CA Root certificate is not trusted. To enable trust,
install this certificate in the Trusted Root Certifications
Authorities store.

You can safely ignore this message.

Replication Run Fails During the Preparing Stage

In some cases, AWS SMS allows a replication job to continue scheduling incremental replication runs even when the latest replication run has failed. When the maximum allowed number of consecutive failures is reached, the default behavior for a replication job is to be paused. The job can be resumed within four days, after which it is deleted. In such cases, the Amazon EBS snapshots from the latest replication run are shared with the customer account, and a status message for the failed replication run is sent. The message contains the snapshot IDs and states the reason for the failure. A typical status message resembles the following:

EBS snapshot(s) created with snapshot ID(s): snap-12345678abcdefgh. Another run  
has been scheduled after the last run failed due to an import failure. 2 re-try run(s) 
remaining before the job will be failed.

The reason for replication-run failures (including first-boot failures) often correlates closely with failures observed when Amazon EC2 VM Import/Export is used for VM migrations. For more information, see Troubleshooting VM Import/Export.

If you need further help with resolving a problem, contact AWS Support. EBS snapshots generated during a failed migration are shared with your account, and the snapshot IDs are included in the status message for the replication job. Be sure to have these details available when you contact AWS Support.

Replicated AMI Doesn't Support Some Instance Types for Launch

Some instances require ENA support. If the migration does not enable ENA support, then the replicated AMI does not allow you to launch instances that require ENA support.

Verify that ENA is enabled. For more information, see Enabling Enhanced Networking on Windows or Enabling Enhanced Networking on Linux in the Amazon EC2 documentation.

Failure to upload to Amazon S3

The following error message indicates that the vCenter cannot export the VMDK.

Error message: ServerError: Failed to upload base disk(s) to S3. Please try again. 
If this problem persists, please contact AWS support: Server 
returned HTTP response code: 500 for URL: https://<url>

Verify that the VMDK is snapshottable and that the VM does not have any mounted ISOs.

Incremental Replication Delta Exceeds 1 TB

The connector is designed to handle frequent replication with small deltas. The connector does not support deltas larger than 1 TB. If you do not replicate on a regular basis, the delta can exceed this limit and the replication run fails.

To prevent this issue, set up frequent incremental replication runs. If you cannot replicate frequently, you can increase the delta upload limit. For example, run the following commands on the connector to increase the part size of S3 uploads from 25 MB to 100 MB. When prompted, select option 3.

sudo sms-connector-config -set slotSizeMB 100 sudo setup.rb

Increasing the upload limit impacts the performance and memory usages of the connector. Do not increase the upload limit while the connector is uploading multiple deltas.