Reputation: 1
Systems Manager Session Manager is unable to connect
error messageI am experiencing this problem. Session manager is unable to connect to the SSM agent on ALL of my instances (see attached picture link) I have an IAM role with all required permissions and policy AmazonSSMManagedInstanceCore is attached as well. It was working just fine couple of days ago, but now I cannot connect to my EC2 which has Jenkins Server running.
I tried methods below to get the connection back:
- Attached and deattached the role
- Launched a new instance and still no connection
- Used service "Run Command" and tried to "UpdataSSMAgent", did not work
- Tried to run Jenkins pipeline to enable amazon ssm-agent
- Created vpc endpoints for the ssm.service, since the error is about the endpoint
I am out of options, I need to go inside the server as soon as possible.
Upvotes: 0
Views: 90
Answers (1)
Reputation: 600
For sure this is a network (VPC) issue. I assume you lost the internet connection, or something is filtering your connection from the servers to the AWS endpoints. Filtering - it can be a Security Group (missing or too restrictive egress rule attached to your EC2), VPC NACL, or third-party solution.
If you still can connect from Jenkins, then you can check if you actually have any internet access (if you cannot curl google.com, then you need to check the VPC configuration (NAT and rout tables).
Also, you can check the SSM endpoints addresses with nslookup ssm.region.amazonaws.com, and then try to curl them from Jenkins - if you can reach them, then it means that you have a DNS issue -> https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-ssm-agent.html#agent-ts-dns-attributes
If you cannot reach them, you can try VPC Reachability Analyzer, and check your traffic route from the EC2 server to the SSM endpoint IP address.
The VPC endpoints are a bit expensive, so I personally try to avoid them. If you really cannot use the "public" endpoints for ssm, then remember that there are 3 different endpoints required by SSM agent that you need to create, and attach to the subnets (that should have access through them), and you need to have a security group, that will allow your EC2 servers to connect. Also, pay attention to the DNS options in your VPC. You may find more about the VPC endpoints in the link that I mentioned before.
Upvotes: 0
Related Questions
- SSM Issue ( Aws Session manager)
- AWS System Manager start session: An error occurred (TargetNotConnected) when calling the StartSession operation: <instance_id> is not connected
- Why does ssm:sendmessage always throw error when running imagebuilder pipeline?
- My Linux machines doesn't appear in AWS Systems Manager console
- Not able to connect to an S3 bucket using a gateway VPC endpoint
- AWS SSM session manager not showing instances
- Is there a bootstrap script to install Amazon SSM Agent into EC2 Windows instance upon launch?
- AWS STS Assume Role: Get session token