Windows failing to activate when using NAT

[Turan Asikoglu]

Hi there,

I've created a subnet which contains a Linux powered NAT instance which acts as our internet gateway for other instances inside our VPC.

All of our Windows instances are failing to activate and error messages mention failing to establish connectivity with "kms.windows.googlecloud.com". I have however verified connectivity by using telnet and connecting to kms.windows.googlecloud.com:1688.

I have also verified the Windows instances have both Internet connectivity and connectivity to other instances.

I'm a bit lost as to what to do now. Is anyone else running a similar setup?

It's worth mentioning we are also using Shared VPC's in this project.

[Turan Asikoglu]

Running slmgr.vbs /ato

Activating Windows(R), ServerDatacenter edition (00091344-1ea4-4f37-b789-01750ba6988c) ...

Error: 0xC004F074 The Software Licensing Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.

[Carlos (Cloud Platform Support)]

I am not familiar on how KMS works but running it behind a proxy might need additional settings.

Moreover since KMS seems to use RPC, opening other ports might be needed not only in Google Firewall but also on your Windows VM.

I found awkward the authentication is failing even after adding an external IP.  To isolate the issue there are a couple of test you could try:

1. Create a new network and a new server. See if that works.

2. Take a snapshot of the original servers that are failing to authenticate. From that snapshot create a new server in the new network and see if that works.

There could be a routing problem either in the original network or on the server configurations.

[Amruta Gulanikar]

Google Compute Engine handles licensing for Windows Server when you create and start Windows instances. To activate a Windows VM they must have an external IP address assigned to them. The external IP address is required to activate a Windows instance with Google’s KMS servers. You cannot turn off the external IP for a Windows VM  on Google Compute Engine as it requires re-activation every 30 days.

 

The NAT will not work as we need an external IP as the identifier to validate the Windows VM that is requesting the activation. We are actively working on a fix to address this issue and to make it so you can activate against VMs with internal IP only. In the meanwhile if you wish to restrict outbound communication you can set up egress firewall rules as follows:

• Create a deny egress firewall rule for the ip range 0.0.0.0/0 on all ports

• Create an allow egress rule to the ip 173.255.119.204 and the port tcp:1688. This will allow the VM to talk to the KMS Servers.

• The allow rule should have a higher priority ( i.e. a lower number) than deny rule.

 

On Wednesday, June 14, 2017 at 12:44:30 PM UTC-7, Carlos (Cloud Platform Support) wrote:

I am not familiar on how KMS works but running it behind a proxy might need additional settings.

Moreover since KMS seems to use RPC and opening other ports might be needed not only in Google Firewall but also on your Windows VM.

I found awkward the authentication is failing even after adding an external IPs.  To isolate the issue there are a couple of test you could try:

1. Create a new network and a new server. See if that works.

2. Take a snapshot of the original servers that are failing to authenticate. From that snapshot create a new server in the new network and see if that works.

There could be a routing problem eihter in the original network or on the server configurations.

[Turan Asikoglu]

@Carlos: Thanks for your reply. I think I didn't give enough time for the changes to the routing table to fully propagate when switching gateways. I retried attaching an external IP to the instance and it does work.

@Amruta: Thanks for your reply and your firewall suggestions, we'll use that within our project.

Ta!

[Franco König]

i have exactly same issue

i try to add my vm´s who have only internal access with the nat route so i setup:

gcloud compute instances add-tags myvmwithoutkms --tags internet-nat --zone europe-west1-c

than i have internet but activation also fails. did i need a firewall rule for port 1688 also? when yes, have someone the exact command for that?

my think is, here google must make further forward, it can not be, that a vm need for that process a external IP, and than you must do that every 180 days?

no, hope there is now a better solution.

regards

franco

[Franco König]

hi all

i have the same issue, so is it not enough to give the vm the internet over nat?

i make this here on my vm:

gcloud compute instances add-tags myserverwithoutkms --tags internet-nat --zone europe-west1-c

i have than internet, but slmgr /ato works not. must i add a firewall rule also? when yes, have someone the exact gcloud command?

i think that is something where google must work further forward, it can not be that a key feature ala kms needs a external IP only for that, so every 180 days you must add this external IP?

regards

franco

Am Mittwoch, 14. Juni 2017 15:15:35 UTC+2 schrieb Turan Asikoglu:

[Michał Choroszy]

Hello Amruta!

Is there any ETA for a fix for this issue?

[Adaikal Raj]

Hello,

Is there any update on this issue?. We want to restrict our network traffic at L7. We are unable to do it, as windows license is not activating behind proxy.

[OriScrapAttack]

Any update on this?

Over a year ago it was said to be actively worked on, so I expect a working solution to this problem.

Op woensdag 14 juni 2017 15:15:35 UTC+2 schreef Turan Asikoglu:

[Karthick (Cloud Platform Support)]

Hello, 

This feature that is still in development and  being tested internally and I do not have an ETA at the moment. Be sure to follow GCP official blog [1], as it will likely be posted there.  As a workaround, you may have to follow the suggestions provided by @Amruta