Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
johnnyringo
Advisor

Deployment failure in GCP - 504 Resource Error, Timeout expired.

We're having zero luck deploying the CheckPoint CloudGuard IaaS R80.30 High Availability in our enterprise GCP account.  In the GCP Deployment Manager, the deployment hangs for 30 minutes, eventually getting this error:

{"ResourceType":"runtimeconfig.v1beta1.waiter","ResourceErrorCode":"504","ResourceErrorMessage":"Timeout expired."}

I also get the same error if I launch the standalone gateway with External IP requested.  As a work-around, I can set the External IP to "None", watch the deployment succeed, then add it later.

I do not have any problems deploying in my personal GCP account, so fairly certain this is a permissions or connectivity issue relating to API calls.

 

DeployFailure.png

5 Replies
AyGit
Contributor

Hi @johnnyringo 

Did you solved the issue?

 

Regards

johnnyringo
Advisor

Yes, It was due to our Compute Engine default service account being disabled, which had been recommended by our Google onboarding team.  The account also needs permission to create external IP addresses.  Here we are 1 year and I don't think CheckPoint ever mentions this requirement in their documentation, so I wrote a blog post:

Deploying CheckPoint CloudGuard IaaS High Availability in GCP

 

 

AyGit
Contributor

The default service account is already enabled

2021-04-22_18h09_36.png

and we have also the permission to create external addresses (I can view both IP address in GCP > VPC Network > External IP addresses).

We deployed again the template in GCP and are facing with the same message error.

johnnyringo
Advisor

There's many things that can cause this.  Another requirement is that "Private google access" must be enabled for all relevant subnets, although I think there's a more descriptive error message if it fails for that reason.  

You can of course open a support case with CheckPoint, but honestly our support experiences with the GCP projects have been horrible.    Our Google SE ultimately proved to be much more helpful than CheckPoint in diagnosing the problem by looking at logs on their end, although I didn't catch exactly where he was looking.

I do know the template itself is OK, because I successfully deployed a fresh R80.30 and R80.40 BYOL clusters this morning.

 

0 Kudos
AyGit
Contributor

‘Privâtes Google access’ is well configured ...

I’ve deployed the template in my personal environment too and it works good. 

We’ll go in deep in the gcp logs 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.