Troubleshooting your VPC

This document covers common difficulties you might encounter, and offers some helpful tips.

Using DEBUG mode or `verbose` mode when using the API

For example, you can add --verbose to your curl command and send us the X-Request-Id: value so we can troubleshoot the problem. The --verbose flag is particularly helpful if you are experiencing connectivity problems.

Another option is to add the -i flag to your curl command so that the support team can see the headers in the response of your request. This flag is helpful in most situations when you need to contact support.

API calls require a Bearer token

When you use the API with a cURL command, you might need to include "Bearer" in the Authorization header, depending on what is in the $iam_token. If it includes the word "Bearer", you don't include it again in the header. Most examples assume that "Bearer" is included in the header.

Turning on `TRACE` mode when using the CLI

To turn on TRACE (debug) mode when you use the CLI, set IBMCLOUD_TRACE=true before the CLI command.

For example:

IBMCLOUD_TRACE=true ibmcloud is pubgws

Using a different endpoint for CLI

To change the VPC API endpoint that the IBM Cloud® CLI uses by default, set the environment variable IBMCLOUD_IS_API_ENDPOINT before you use the CLI. For example,

export IBMCLOUD_IS_API_ENDPOINT=api.dev.domain.com

Common problems

Here are a few difficulties you might encounter.

Not authorized (401 or 403 error)

Your account might not be authorized for VPC. Make sure that you are using an account that has been onboarded.

IAM token expired

The service is no longer returning any JSON, instead of just giving an HTTP "401 Unauthorized" to all requests. This error occurs after about an hour if your IAM token expired. Refresh your IAM token by rerunning iam_token=$(ibmcloud iam oauth-tokens | awk '/IAM/{ print $4; }').

Cannot create VPC or other resources

If you cannot create a VPC or other resources, make sure that the owner of the account has granted you the correct permissions.

No response from API

If the API is no longer returning any JSON, it is likely your IAM token expired and needs to be refreshed. Log in to IBM Cloud again or refresh your token by running iam_token=$(ibmcloud iam oauth-tokens | awk '/IAM/{ print $4; }').

Cannot delete resources

Certain operations--creating and deleting virtual server instances, and creating and deleting subnets, for example--are completed asynchronously through the API. Because of this fact, it is recommended to poll the resources you're deleting, to check for deletion before proceeding.

It can take several minutes for resources to be deleted from the system, due to these asynchronous operations. To facilitate deletion, the best practice is to do things in this order:

Delete your instances
Delete your public gateways
Delete your subnets
Delete your VPCs

For more information, see Deleting a VPC.

Trace ID is blank

Usually, when the Trace ID is blank, it is because the JSON returned doesn't match what is expected from the API. Try running the command RIAAS_DEBUG=yes ibmcloud is server-rm 3fb7c1eb-45fd-4c85-962e-617f216e7393 (substitute your correct server ID token) and check the output.

VPC public gateway drops connection

The TCP connection between the IKS cluster and back-end database is dropped by the VPC public gateway during the TCP idle time (for example, 5 minutes).

The VPC public gateway has a fixed 4-minute timeout for TCP connections, and it is not configurable. This problem occurs because the Linux default timeout for idle time is 2 hours (only if connection is idle for 2 hours, TCP keep-alive packets are being sent).

Set the idle time to less than 4 minutes (for example, 180 seconds).