On November 5, 2019, the ProxySG software began to receive failed requests from the AWS metadata server. Existing instances that are configured and running are not impacted by the failed requests. For new instances, the initial boot process fails with the following error indicators in the AWS web console:

1. Failed EC2 health checks:
   
2. Console messages that indicate an instance is affected:
   

On November 5, 2019, AWS updated the metadata service (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) on their EC2 platform. This change affected the ProxySG virtual appliances (VAs) by making a previously accepted request string no longer functional.

On the first boot, the ProxySG VA queries the AWS metadata service to determine what processes need to automatically occur, such as:

• Detecting the AWS Platform
• Using DHCP to configure ProxySG networking
• Being able to access the Mini ICW over SSH

How Do I Fix this Issue?

The fix to the issue was introduced in SGOS 6.7.4.11. Obtain this version of SGOS from the AWS Marketplace and use it to deploy a new instance in the AWS Marketplace. Older AMIs that were manually created should not be used, nor should older AMIs from the AWS Marketplace. For instructions on deploying your ProxySG VA, see https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/aws-marketplace-about-proxysg.html.

What Platforms are Affected?

This issue only affects newly created VAs on AWS Marketplace. This issue does not impact any physical appliances or VAs deployed on any other platform.

Are My Existing and Running Instances on the AWS Marketplace Affected?

No. Instances that are currently running and have had their initial configuration wizard completed (either via the Mini ICW or userdata) no longer require access to the metadata server to properly operate. These instances can continue to operate as is, and can be updated using the load upgrade mechanism. However, if you want to erase configuration via the restore defaults command, or create a new VA in AWS Marketplace using an older AMI, your VA will be affected because it will need to contact the metadata server.

Do I have to Upgrade?

Symantec recommends that you upgrade existing instances to avoid future issues that could be triggered by issuing a  restore defaults command; however, if your existing instances are running, configured, and working you are not required to upgrade. Any new instances that are created must be created using an AMI that has the fix for this issue (SGOS 6.7.4.11 and later).