In the app logs you see a post cf push staging container being created, then deleted. However, the actual app container never gets created and started.

This is followed by app timeout and the app fails to push. 

Cell b5465126-199e-4e3d-a297-503ffbf88464 stopping instance ec73067c-4a19-4cd1-8393-93aac028d58a
   Cell b5465126-199e-4e3d-a297-503ffbf88464 destroying container for instance ec73067c-4a19-4cd1-8393-93aac028d58a
   Cell b5465126-199e-4e3d-a297-503ffbf88464 successfully destroyed container for instance ec73067c-4a19-4cd1-8393-93aac028d58a

Waiting for app to start...
Start app timeout

TIP: Application must be listening on the right port. Instead of hard coding the port, use the $PORT environment variable.

Use 'cf logs hello_php --recent' for more information
FAILED

This is caused by an invalid syntax of one or more of the IP, IP Range, Port, or Protocol fields for Application Security Group. 

There is no error message in the app logs or in the Diego Cell logs. Bulletin Board System (BBS) in the Diego Database VMs reports in /bbs/bbs.stdout.log an error message similar to the following:

"error":"Invalid field: egress_rules, Invalid field: destinations [ Invalid IP ]"

or 

"error":"Invalid field: egress_rules, Invalid field: destinations [ Invalid CIDR ]"

Product Version: 2.10

If you discover the behavior above, review your security groups for spaces or invalid characters. 

A few examples of working syntax include but not limited to:

IP and IP Ranges

0.0.0.0/0
1.1.1.1-2.2.2.2
1.1.1.1

Ports

80, 443
6000-6099

Protocol

all
udp
icmp
tcp 

For more details, please refer to the original document: The Structure and Attributes of ASGs
 

Troubleshooting

From the cf CLI, run the following command:

cf curl /v2/security_groups --output /tmp/security_groups

Using a text editor, open the file /tmp/security_groups and review it for invalid syntax, or provide it to Tanzu support via a support request with reference to this article for further analysis.