Session Failures
This guide covers common issues you may encounter when starting, managing, or extending sessions in EntryGuard.
Session Stays in Pending
What you see: After clicking Start Session, the session appears in the table with a Pending (blue) status badge and doesn't change to Active.
Common Causes:
Task Queue Backlog
Sessions are processed asynchronously. During peak usage, there may be a short delay.
Resolution:
- Wait 1-2 minutes for the system to process your session
- Refresh the page to check for status updates
- If the session is still Pending after 5 minutes, contact your administrator
Invalid Credentials
The cloud credentials associated with your session's resources may be invalid or expired.
Resolution (Admin):
- Navigate to Credentials under the Admin section in the sidebar
- Check the credential's status column — look for Invalid (red)
- If invalid, delete the credential and create a new one with valid keys
- See Credential Issues for detailed troubleshooting
Session Status is Partial
What you see: The session shows a Partial (yellow) status badge instead of Active (green). When you expand the session row, some resource IPs show Applied while others show Failed.
What this means: IP rules were successfully applied to some resources but failed on others. You can still access the resources that succeeded.
Common Causes:
Security Group Rule Limit Reached
AWS Security Groups have a maximum of 60 rules per group (ingress + egress combined).
Resolution:
- Review the Security Group in AWS Console and remove unused rules
- Consider splitting resources across multiple Security Groups
- Contact your administrator to clean up stale rules
Insufficient Credential Permissions
The IAM user may lack write permissions for some resources.
Resolution (Admin):
- Expand the session row to see which resources failed and their error messages
- Check that the IAM policy includes
ec2:AuthorizeSecurityGroupIngressfor the affected resources - Navigate to IAM Policy under the Admin section to generate the correct policy
- Update the IAM policy in AWS Console
Resource Deleted in Cloud Provider
The resource may have been deleted in AWS but still exists in EntryGuard.
Resolution (Admin):
- Verify the resource still exists in AWS Console
- If deleted, navigate to Resources under the Admin section and remove it
- Start a new session with only active resources
Session Status is Failed
What you see: The session shows a Failed (red) status badge. When you expand the session row, all resource IPs show Failed.
What this means: None of the resources could be updated. This is almost always a credential or permission issue.
Common Causes:
Invalid or Expired Credentials
The credentials have been rotated, deleted, or the IAM user is disabled in AWS.
Resolution (Admin):
- Navigate to Credentials under the Admin section
- Check the status column for the credential used by the failed resources
- If Invalid (red), delete the credential and create a new one with valid AWS access keys
- Update the affected resources to use the new credential
Missing Required Permissions
The IAM policy attached to the credential's IAM user is too restrictive.
Resolution (Admin):
- Navigate to IAM Policy under the Admin section to generate the correct policy
- The IAM user needs at minimum:
ec2:AuthorizeSecurityGroupIngressec2:RevokeSecurityGroupIngressec2:DescribeSecurityGroupssts:GetCallerIdentity
- Apply the policy in AWS IAM Console
- See the IAM Policy guide for step-by-step instructions
Wrong AWS Region
The credential is configured for a different region than the resources.
Resolution (Admin):
- Navigate to Credentials and check the credential's region
- Ensure all resources are in the same region as the credential
- Create separate credentials for each AWS region if managing multi-region resources
Cannot Extend Session
What you see: Clicking the +2h button shows an error or the button is disabled.
Common Causes:
Maximum Duration Reached
EntryGuard enforces maximum session durations based on your subscription tier:
| Plan | Max Duration |
|---|---|
| Free | 2 hours |
| Starter / Team / Business | 24 hours |
Your role may also have a custom maximum duration that is lower than the tier limit.
Resolution:
- Stop the current session and start a new one
- Contact your administrator to increase the maximum duration on your role (configured on the Roles page)
- Upgrade to a paid plan if you need sessions longer than 2 hours
"No Resources Available"
What you see: The Start Session dialog shows no resources to select, or you see an error.
Common Causes:
No Roles Assigned
Your user account has no roles assigned, so you have no resources to start sessions on.
Resolution: Contact your organization administrator to assign you to one or more roles on the Roles page.
Roles Have No Resources
Your roles exist but have no resources attached.
Resolution: Contact your organization administrator to assign resources to your role(s) on the Roles page.
Getting Help
If you've tried the solutions above and are still experiencing issues:
- Check audit logs — Ask your administrator to check the Audit Logs page for session-related events
- Gather information — Note the session status, which resources failed, and any error messages shown when expanding the session row
- Contact support at [email protected] with the above information for faster resolution