Connection via Cloud Identity-Aware Proxy Failed Code: 4010

[Neelam Jain]

Hello,

I was able to connect to my compute engine via browser till yesterday. However, from today i have suddenly started receiving the following

Connection via Cloud Identity-Aware Proxy Failed Code: 4010

I have checked the firewall settings and it looks ok
. It has "ALLOW" permission for IP ranges 0.0.0.0/0 with the following

Protocols and ports

tcp:22

tcp:3389 

I am also not able to connect using winscp with SFTP on PORT 22. This was also working till yesterday

Please help to provide any details

[Fady (Google Cloud Platform)]

If the firewall rule allows IAP to connect, it might be an issue with the instance itself. One theory could be the internal firewall rule. Another could be that the instance is not responsive due utilization.

As a first step you can verify serial port console logs for existing errors on the instance. Rebooting the instance as per this third party article (we do not endorse but rather as an example)  seems to have fixed the issue. You may also try using gcloud commands in cloudshell with "verbosity=debug" flag as to get a better idea about at what step it is failing.  Another approach is to spin a VM in the same VPC, SSH to it and SSH from it to the troublesome instance through internal IPs (if using gcloud compute SSH command use --internal-ip flag from the new instance) . 

This would test two things. The first being connectivity, meaning if you are not able to connect to the fresh instance, then it is connectivity related and reviewing firewall rules again would be beneficial. The second if you are able to connect to the new instance, and if you are not able to connect from it to the troublesome instance, it is most probably an issue with the troublesome VM itself. 

As this is more of a technical question, I suggest to post at serverfault.com as you have a larger community that might help. Posting there, provide all the tests and log output mentioned above. Make sure you redact any personal identifiable information including project IDs and Instance IDs. I hope the above helps.  

[Neelam Jain]

Thanks... for the detailed answer. You are right. It looks like issue with VM

I have taken an image of the VM and use the same for build a fresh VM. I was able to login into the new VM. However, i could not do sudo su --. I get the error as " sudo: /etc/sudoers.d is world writable”" . It may be possible that i may have changed the permission under /etc folder. Is there any way by which i can recover. I need to get the root access

[Fady (Google Cloud Platform)]

This is an interesting technical error. I encourage you to comment on the stackexchange link you provided. The platform has more experts on Linux who can help. However, another way to go about it is to attach, and mount the boot disk as an additional disk to a new instance (same zone), SSH into it, and try repair the permissions on the old disk.  Here is a guide about detaching/attaching a boot disk on the existing instance and another on attaching it when creating a new instance. I hope this helps.