topic AWS GWLB VPC Endpoint Associations no longer work post-upgrade in General Topics

AWS GWLB VPC Endpoint Associations no longer work post-upgrade

C.Stuart — Tue, 19 Nov 2024 15:17:58 GMT

Hello,

We have recently upgraded our VMSeries Firewalls from 10.2.8-h5 to 11.2.3-h3. However, now, none of our AWS VPC Endpoint associations work via the CLI. We're running the following as per the documentation - as we always have:

admin@PA-VM> request plugins vm_series aws gwlb associate vpc-endpoint vpce-0c9fbeeeae9387c49 interface ethernet1/1.1 admin@PA-VM> request plugins vm_series aws gwlb associate vpc-endpoint vpce-06e2ec4d749fcf479 interface ethernet1/1.2 admin@PA-VM> show plugins vm_series aws gwlb GWLB enabled : True Overlay Routing : True ================================================ VPC endpoint Interface Egress ================================================ GWLB vpc-endpoint association not found

Both subinterfaces (and interfaces) are active in the console. Can anyone shed any light as to why this might be?

Kind regards,

Carl

Re: AWS GWLB VPC Endpoint Associations no longer work post-upgrade

C.Stuart — Tue, 19 Nov 2024 16:18:13 GMT

Also, I have checked the vm_series plugin logs there seems to be no errors relating to the association(s):

admin@PA-VM> tail follow no mp-log plugin_vm_series.log 2024-11-19 06:07:14.056 -0800 INFO: [vm_cloudwatch_log] Token refreshed successfully 2024-11-19 06:07:14.057 -0800 INFO: [vm_cloudwatch_log] AWS get_meta_data succeedeed 2024-11-19 06:07:14.057 -0800 INFO: [vm_cloudwatch_log] AWS instance id i-0b075ab8e40468a39 2024-11-19 06:07:14.108 -0800 INFO: [vm_cloudwatch_log] Region eu-west-2 2024-11-19 06:47:20.159 -0800 ERROR: [vm_cloudwatch_log] Connect timeout on endpoint URL: "https://logs.eu-west-2.amazonaws.com/" ConnectTimeoutError 2024-11-19 06:47:20.159 -0800 INFO: [vm_cloudwatch_log] Logging INFO : SYSTEM : START : Palo Alto Networks Firewall Initializing. 2024-11-19 07:27:30.734 -0800 ERROR: [vm_cloudwatch_log] Connect timeout on endpoint URL: "https://logs.eu-west-2.amazonaws.com/" ConnectTimeoutError 2024-11-19 07:27:30.735 -0800 ERROR: [vm_cloudwatch_log] Error logging 'NoneType' object has no attribute 'put_log_events' AttributeError 2024-11-19 08:07:37.446 -0800 ERROR: [vm_cloudwatch_log] Connect timeout on endpoint URL: "https://logs.eu-west-2.amazonaws.com/" ConnectTimeoutError 2024-11-19 08:07:37.447 -0800 ERROR: [vm_cloudwatch_log] Error logging 'NoneType' object has no attribute 'put_log_events' AttributeError

Kind regards,

Carl

Re: AWS GWLB VPC Endpoint Associations no longer work post-upgrade

C.Stuart — Wed, 20 Nov 2024 17:37:30 GMT

This issue appears to be specifically tied to the the vm_series plugin version 5.1.3. I regressed the plugin to version 5.1.0 and the associations now work. In version 5.1.3 there was an issue addressed (PLUG-16869) that caused the CLI command `show plugins vm_series azure gwlb` to not return any output. Even though that was for Azure and now AWS, could this be a similar issue? I tried to check the release notes for version 5.1.4 and it doesn't show anything.