Troubleshooting
The subsections of this page address some of the well-known cases of errors that might occur in Fleet Control during patching or other operations. They mainly refer to the content of action logs, more information on which can be found in the Action logs section.
"Logs not available. Please verify permissions." or empty action output
When you encounter this error message in the action output, or if the output is empty, it means that logs for the resource-scoped action could not be saved.
There are several possible causes for this issue.
Target instance having insufficient permissions
Applies only to AWS EC2 instances.
SSM Agent utilizes native AWS functionality to perform its tasks on EC2 instances. For this reason, EC2 instances must have necessary permissions configured.
EC2 instance either doesn't have an Instance Profile attached, or the Instance Profile doesn't have the necessary permissions
to write to the S3 bucket that stores the logs. The missing permissions might include KMS key access or PutObject S3 action.
A section on cloud account adding describes
which policies are required for the Instance Profile.
Firewall rules blocking the connection to the logs storing S3 bucket
The instance is unable to connect to the S3 bucket due to firewall rules. Please check firewall configuration for a list of endpoints that need to be accessible for Fleet Control to function properly.
The SSM Agent logs can be very helpful in troubleshooting similar issues.
The SSM Agent records every attempt to upload logs to Fleet Control bucket and saves it locally on the instance. By examining these logs, you can often identify what happened exactly and determine why it went wrong.
The AWS documentation provides detailed instructions on where to locate these logs.
Cloud account error statuses
-
Access Missing:
- If such error occurs, please create a support ticket.
-
Access Error:
- In AWS case: The role used by FleetControl (default name: NordcloudFleetControlServiceRole) has been removed or External ID has been changed. Please refer to the AWS documentation for External ID explanation.
- In Azure case: Service Principal might have been removed or credentials could have expired. This article in Azure documentation describes credentials expiry.
You can hover on a region name to see error details, if any.
"Lost Connection" resource status
If a resource is running, but has "Lost Connection" status in the Fleet Control, this most likely means that the SSM Agent on the instance has connectivity issues. Possible causes include:
- SSM Agent is not running on the instance.
- Instance is behind a firewall that prevents the SSM Agent from connecting to the AWS SSM service. Please make sure the endpoints listed in the firewall configuration page are reachable from the instance.
- AWS instances only: the instance might not have a role attached, or the role attached does not include
the
AmazonSSMManagedInstanceCorepolicy. Please refer to the IAM mode section in the SSM Agent user guide for details.
Please keep in mind that resources states are updated periodically, so it might take a while for the status to be updated.