Troubleshooting

The following problems are well-known:

EC2 Instance launch failure: Client.InternalError: Client error on launch

If no EC2 instances are started, and the Auto Scaling Group shows the error “Client.InternalError: Client error on launch”, it is likely an issue with your KMS key that you use for EBS default encryption. Please modify the KMS key policy and add these two statements to allow EC2 Autop Scaling to use the key. The EC2 Instances will start after a couple of minutes.

CloudFormation Template error: Fn::Select cannot select nonexistent value at index

CloudFormation’s Fn::GetAZs function returns availability zones with a default subnet unless none has a default subnet; in that case, all availability zones are returned.

Double-check that your default VPC has at least two default subnets in two availability zones to fix the error. If you deleted them before, you could create default subnets for your default VPC.

The specified instance type is not valid

Unfortunately, not all instance types are available in all availability zones.

Sometimes, you can see an error like “The specified instance type t3a.small is not valid” even though you selected the instance type t3.small. This is caused by the capacity strategy SpotOnly which defines fallback instance types for better availability. To fix the issue, set the CapacityStrategy configuration parameter to OnDemandOnly during installation.

If you still see the error, select a different InstanceType configuration parameter. Our default m5.large is a good choice.

Invalid DNS reply. Falling back to HTTP mode.

You will see the following log messages from time to time:

freshclam: ClamAV update process started at *** 
freshclam: Can't query no
freshclam: WARNING: Invalid DNS reply. Falling back to HTTP mode.
freshclam: Trying to retrieve CVD header from https://bucketav-clamav-mirror-***.amazonaws.com/daily.cvd
freshclam: OK

Unfortunately, ClamAV does not allow us to properly turn off reaching out to a DNS server to get the latest virus database version number. We resolve the newest virus database version number from our mirror via HTTPS.

Network issues when using delivery method Existing VPC

Please follow the Existing VPC Network Guide.

Access Denied errors when copying or moving objects

Are you getting “Access Denied” errors when copying or moving objects after enabling bucketAV? By default, bucketAV adds a tag named bucketav to scanned objects. Therefore, when copying or moving those files, you might need to grant permissions to the following actions.

  • s3:PutObjectTagging
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:PutObjectVersionTagging

For example, you will run into this issue when using IAM policies generated by AWS Transfer Family (e.g., SFTP) or AWS Storage Gateway.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email