Cause(value)
Drop cause types:
Enums |
|
---|---|
Name | Description |
CAUSE_UNSPECIFIED |
Cause is unspecified. |
UNKNOWN_EXTERNAL_ADDRESS |
Destination external address cannot be resolved to a known target. If the address is used in a Google Cloud project, provide the project ID as test input. |
FOREIGN_IP_DISALLOWED |
A Compute Engine instance can only send or receive a packet with a foreign IP address if ip_forward is enabled. |
FIREWALL_RULE |
Dropped due to a firewall rule, unless allowed due to connection tracking. |
NO_ROUTE |
Dropped due to no matching routes. |
ROUTE_BLACKHOLE |
Dropped due to invalid route. Route's next hop is a blackhole. |
ROUTE_WRONG_NETWORK |
Packet is sent to a wrong (unintended) network. Example: you trace a packet from VM1:Network1 to VM2:Network2, however, the route configured in Network1 sends the packet destined for VM2's IP address to Network3. |
ROUTE_NEXT_HOP_IP_ADDRESS_NOT_RESOLVED |
Route's next hop IP address cannot be resolved to a GCP resource. |
ROUTE_NEXT_HOP_RESOURCE_NOT_FOUND |
Route's next hop resource is not found. |
ROUTE_NEXT_HOP_INSTANCE_WRONG_NETWORK |
Route's next hop instance doesn't have a NIC in the route's network. |
ROUTE_NEXT_HOP_INSTANCE_NON_PRIMARY_IP |
Route's next hop IP address is not a primary IP address of the next hop instance. |
ROUTE_NEXT_HOP_FORWARDING_RULE_IP_MISMATCH |
Route's next hop forwarding rule doesn't match next hop IP address. |
ROUTE_NEXT_HOP_VPN_TUNNEL_NOT_ESTABLISHED |
Route's next hop VPN tunnel is down (does not have valid IKE SAs). |
ROUTE_NEXT_HOP_FORWARDING_RULE_TYPE_INVALID |
Route's next hop forwarding rule type is invalid (it's not a forwarding rule of the internal passthrough load balancer). |
NO_ROUTE_FROM_INTERNET_TO_PRIVATE_IPV6_ADDRESS |
Packet is sent from the Internet to the private IPv6 address. |
VPN_TUNNEL_LOCAL_SELECTOR_MISMATCH |
The packet does not match a policy-based VPN tunnel local selector. |
VPN_TUNNEL_REMOTE_SELECTOR_MISMATCH |
The packet does not match a policy-based VPN tunnel remote selector. |
PRIVATE_TRAFFIC_TO_INTERNET |
Packet with internal destination address sent to the internet gateway. |
PRIVATE_GOOGLE_ACCESS_DISALLOWED |
Instance with only an internal IP address tries to access Google API and services, but private Google access is not enabled in the subnet. |
PRIVATE_GOOGLE_ACCESS_VIA_VPN_TUNNEL_UNSUPPORTED |
Source endpoint tries to access Google API and services through the VPN tunnel to another network, but Private Google Access needs to be enabled in the source endpoint network. |
NO_EXTERNAL_ADDRESS |
Instance with only an internal IP address tries to access external hosts, but Cloud NAT is not enabled in the subnet, unless special configurations on a VM allow this connection. |
UNKNOWN_INTERNAL_ADDRESS |
Destination internal address cannot be resolved to a known target. If this is a shared VPC scenario, verify if the service project ID is provided as test input. Otherwise, verify if the IP address is being used in the project. |
FORWARDING_RULE_MISMATCH |
Forwarding rule's protocol and ports do not match the packet header. |
FORWARDING_RULE_NO_INSTANCES |
Forwarding rule does not have backends configured. |
FIREWALL_BLOCKING_LOAD_BALANCER_BACKEND_HEALTH_CHECK |
Firewalls block the health check probes to the backends and cause the backends to be unavailable for traffic from the load balancer. For more details, see `Health check firewall rules |
INGRESS_FIREWALL_TAGS_UNSUPPORTED_BY_DIRECT_VPC_EGRESS |
Matching ingress firewall rules by network tags for packets sent via serverless VPC direct egress is unsupported. Behavior is undefined. https://cloud.google.com/run/docs/configuring/vpc-direct-vpc#limitations |
INSTANCE_NOT_RUNNING |
Packet is sent from or to a Compute Engine instance that is not in a running state. |
GKE_CLUSTER_NOT_RUNNING |
Packet sent from or to a GKE cluster that is not in running state. |
CLOUD_SQL_INSTANCE_NOT_RUNNING |
Packet sent from or to a Cloud SQL instance that is not in running state. |
REDIS_INSTANCE_NOT_RUNNING |
Packet sent from or to a Redis Instance that is not in running state. |
REDIS_CLUSTER_NOT_RUNNING |
Packet sent from or to a Redis Cluster that is not in running state. |
TRAFFIC_TYPE_BLOCKED |
The type of traffic is blocked and the user cannot configure a firewall rule to enable it. See `Always blocked traffic |
GKE_MASTER_UNAUTHORIZED_ACCESS |
Access to Google Kubernetes Engine cluster master's endpoint is not authorized. See `Access to the cluster endpoints |
CLOUD_SQL_INSTANCE_UNAUTHORIZED_ACCESS |
Access to the Cloud SQL instance endpoint is not authorized. See `Authorizing with authorized networks |
DROPPED_INSIDE_GKE_SERVICE |
Packet was dropped inside Google Kubernetes Engine Service. |
DROPPED_INSIDE_CLOUD_SQL_SERVICE |
Packet was dropped inside Cloud SQL Service. |
GOOGLE_MANAGED_SERVICE_NO_PEERING |
Packet was dropped because there is no peering between the originating network and the Google Managed Services Network. |
GOOGLE_MANAGED_SERVICE_NO_PSC_ENDPOINT |
Packet was dropped because the Google-managed service uses Private Service Connect (PSC), but the PSC endpoint is not found in the project. |
GKE_PSC_ENDPOINT_MISSING |
Packet was dropped because the GKE cluster uses Private Service Connect (PSC), but the PSC endpoint is not found in the project. |
CLOUD_SQL_INSTANCE_NO_IP_ADDRESS |
Packet was dropped because the Cloud SQL instance has neither a private nor a public IP address. |
GKE_CONTROL_PLANE_REGION_MISMATCH |
Packet was dropped because a GKE cluster private endpoint is unreachable from a region different from the cluster's region. |
PUBLIC_GKE_CONTROL_PLANE_TO_PRIVATE_DESTINATION |
Packet sent from a public GKE cluster control plane to a private IP address. |
GKE_CONTROL_PLANE_NO_ROUTE |
Packet was dropped because there is no route from a GKE cluster control plane to a destination network. |
CLOUD_SQL_INSTANCE_NOT_CONFIGURED_FOR_EXTERNAL_TRAFFIC |
Packet sent from a Cloud SQL instance to an external IP address is not allowed. The Cloud SQL instance is not configured to send packets to external IP addresses. |
PUBLIC_CLOUD_SQL_INSTANCE_TO_PRIVATE_DESTINATION |
Packet sent from a Cloud SQL instance with only a public IP address to a private IP address. |
CLOUD_SQL_INSTANCE_NO_ROUTE |
Packet was dropped because there is no route from a Cloud SQL instance to a destination network. |
CLOUD_SQL_CONNECTOR_REQUIRED |
Packet was dropped because the Cloud SQL instance requires all connections to use Cloud SQL connectors and to target the Cloud SQL proxy port (3307). |
CLOUD_FUNCTION_NOT_ACTIVE |
Packet could be dropped because the Cloud Function is not in an active status. |
VPC_CONNECTOR_NOT_SET |
Packet could be dropped because no VPC connector is set. |
VPC_CONNECTOR_NOT_RUNNING |
Packet could be dropped because the VPC connector is not in a running state. |
VPC_CONNECTOR_SERVERLESS_TRAFFIC_BLOCKED |
Packet could be dropped because the traffic from the serverless service to the VPC connector is not allowed. |
VPC_CONNECTOR_HEALTH_CHECK_TRAFFIC_BLOCKED |
Packet could be dropped because the health check traffic to the VPC connector is not allowed. |
FORWARDING_RULE_REGION_MISMATCH |
Packet could be dropped because it was sent from a different region to a regional forwarding without global access. |
PSC_CONNECTION_NOT_ACCEPTED |
The Private Service Connect endpoint is in a project that is not approved to connect to the service. |
PSC_ENDPOINT_ACCESSED_FROM_PEERED_NETWORK |
The packet is sent to the Private Service Connect endpoint over the peering, but `it's not supported |
PSC_NEG_PRODUCER_ENDPOINT_NO_GLOBAL_ACCESS |
The packet is sent to the Private Service Connect backend (network endpoint group), but the producer PSC forwarding rule does not have global access enabled. |
PSC_NEG_PRODUCER_FORWARDING_RULE_MULTIPLE_PORTS |
The packet is sent to the Private Service Connect backend (network endpoint group), but the producer PSC forwarding rule has multiple ports specified. |
CLOUD_SQL_PSC_NEG_UNSUPPORTED |
The packet is sent to the Private Service Connect backend (network endpoint group) targeting a Cloud SQL service attachment, but this configuration is not supported. |
NO_NAT_SUBNETS_FOR_PSC_SERVICE_ATTACHMENT |
No NAT subnets are defined for the PSC service attachment. |
PSC_TRANSITIVITY_NOT_PROPAGATED |
PSC endpoint is accessed via NCC, but PSC transitivity configuration is not yet propagated. |
HYBRID_NEG_NON_DYNAMIC_ROUTE_MATCHED |
The packet sent from the hybrid NEG proxy matches a non-dynamic route, but such a configuration is not supported. |
HYBRID_NEG_NON_LOCAL_DYNAMIC_ROUTE_MATCHED |
The packet sent from the hybrid NEG proxy matches a dynamic route with a next hop in a different region, but such a configuration is not supported. |
CLOUD_RUN_REVISION_NOT_READY |
Packet sent from a Cloud Run revision that is not ready. |
DROPPED_INSIDE_PSC_SERVICE_PRODUCER |
Packet was dropped inside Private Service Connect service producer. |
LOAD_BALANCER_HAS_NO_PROXY_SUBNET |
Packet sent to a load balancer, which requires a proxy-only subnet and the subnet is not found. |
CLOUD_NAT_NO_ADDRESSES |
Packet sent to Cloud Nat without active NAT IPs. |
ROUTING_LOOP |
Packet is stuck in a routing loop. |
DROPPED_INSIDE_GOOGLE_MANAGED_SERVICE |
Packet is dropped inside a Google-managed service due to being delivered in return trace to an endpoint that doesn't match the endpoint the packet was sent from in forward trace. Used only for return traces. |
LOAD_BALANCER_BACKEND_INVALID_NETWORK |
Packet is dropped due to a load balancer backend instance not having a network interface in the network expected by the load balancer. |
BACKEND_SERVICE_NAMED_PORT_NOT_DEFINED |
Packet is dropped due to a backend service named port not being defined on the instance group level. |
DESTINATION_IS_PRIVATE_NAT_IP_RANGE |
Packet is dropped due to a destination IP range being part of a Private NAT IP range. |
DROPPED_INSIDE_REDIS_INSTANCE_SERVICE |
Generic drop cause for a packet being dropped inside a Redis Instance service project. |
REDIS_INSTANCE_UNSUPPORTED_PORT |
Packet is dropped due to an unsupported port being used to connect to a Redis Instance. Port 6379 should be used to connect to a Redis Instance. |
REDIS_INSTANCE_CONNECTING_FROM_PUPI_ADDRESS |
Packet is dropped due to connecting from PUPI address to a PSA based Redis Instance. |
REDIS_INSTANCE_NO_ROUTE_TO_DESTINATION_NETWORK |
Packet is dropped due to no route to the destination network. |
REDIS_INSTANCE_NO_EXTERNAL_IP |
Redis Instance does not have an external IP address. |
REDIS_INSTANCE_UNSUPPORTED_PROTOCOL |
Packet is dropped due to an unsupported protocol being used to connect to a Redis Instance. Only TCP connections are accepted by a Redis Instance. |
DROPPED_INSIDE_REDIS_CLUSTER_SERVICE |
Generic drop cause for a packet being dropped inside a Redis Cluster service project. |
REDIS_CLUSTER_UNSUPPORTED_PORT |
Packet is dropped due to an unsupported port being used to connect to a Redis Cluster. Ports 6379 and 11000 to 13047 should be used to connect to a Redis Cluster. |
REDIS_CLUSTER_NO_EXTERNAL_IP |
Redis Cluster does not have an external IP address. |
REDIS_CLUSTER_UNSUPPORTED_PROTOCOL |
Packet is dropped due to an unsupported protocol being used to connect to a Redis Cluster. Only TCP connections are accepted by a Redis Cluster. |
NO_ADVERTISED_ROUTE_TO_GCP_DESTINATION |
Packet from the non-GCP (on-prem) or unknown GCP network is dropped due to the destination IP address not belonging to any IP prefix advertised via BGP by the Cloud Router. |
NO_TRAFFIC_SELECTOR_TO_GCP_DESTINATION |
Packet from the non-GCP (on-prem) or unknown GCP network is dropped due to the destination IP address not belonging to any IP prefix included to the local traffic selector of the VPN tunnel. |
NO_KNOWN_ROUTE_FROM_PEERED_NETWORK_TO_DESTINATION |
Packet from the unknown peered network is dropped due to no known route from the source network to the destination IP address. |
PRIVATE_NAT_TO_PSC_ENDPOINT_UNSUPPORTED |
Sending packets processed by the Private NAT Gateways to the Private Service Connect endpoints is not supported. |
PSC_PORT_MAPPING_PORT_MISMATCH |
Packet is sent to the PSC port mapping service, but its destination port does not match any port mapping rules. |
PSC_PORT_MAPPING_WITHOUT_PSC_CONNECTION_UNSUPPORTED |
Sending packets directly to the PSC port mapping service without going through the PSC connection is not supported. |
UNSUPPORTED_ROUTE_MATCHED_FOR_NAT64_DESTINATION |
Packet with destination IP address within the reserved NAT64 range is dropped due to matching a route of an unsupported type. |