Troubleshooting PCF on GCP

Page last updated:

This topic describes how to troubleshoot known issues when deploying Pivotal Cloud Foundry (PCF) on Google Cloud Platform (GCP).

Problems Connecting with Single Sign-On (SSO)

Users may be unable to connect to applications running on PCF using SSO.


SSO does not support multi-subnets.


Ensure that you have configured only one subnet. See the Preparing the GCP Environment for Deployment topic for information.

Uploading Elastic Runtime Tile Causes Ops Manager Rails Application Crash

Uploading the Elastic Runtime (ERT) tile causes the Ops Manager Rails application to crash.


In compressed format, the ERT tile is 5 GB in size. However, when uncompressed during installation, the ERT tile requires additional disk space that can exhaust the space allocated to the boot disk.


Ensure that the boot disk is allocated at least 50 GB of space. See Step 3: Create the Ops Manager VM Instance for more information.

Problems Deploying Diego for Windows

Deploying Diego for Windows as described in fails with a PSSecurity Unauthorized Access error.

For example:

.\setup.ps1 : File C:\Users\username\Downloads\DiegoWindows\setup.ps1 
cannot be loaded. The file C:\Users\username\Downloads\DiegoWindows\setup.ps1 
is not digitally signed. You cannot run this script on the current system. 
For more information about running scripts and setting execution policy, see 
about_Execution_Policies at
At line:1 char:1
+ .\setup.ps1
+ ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess


On GCP, deploying Diego for Windows requires elevated PowerShell privileges.


As a workaround, execute the following cmdlet before running the setup.ps1 script:

Set-ExecutionPolicy Unrestricted

For more information about this cmdlet, see Using the Set-ExecutionPolicy Cmdlet.

ERT Deployment Fails - MySQL Monitor replication-canary Job

During installation of the Elastic Runtime tile, the replication-canary job fails to start. The error reported in the installation log resembles the following:

Started updating job mysql_monitor > mysql_monitor/0
(48e7ec82-3cdf-41af-9d0f-90d1f12683c8) (canary). Failed: 'mysql_monitor/0
(48e7ec82-3cdf-41af-9d0f-90d1f12683c8)' is not running after update. 
Review logs for failed jobs: replication-canary (00:05:13)

Error 400007: 'mysql_monitor/0 (48e7ec82-3cdf-41af-9d0f-90d1f12683c8)' 
is not running after update. 
Review logs for failed jobs: replication-canary


This error can appear as a result of incorrect configuration of network traffic and missed communication between the Gorouter and a load balancer.


  1. Make sure you have selected the Forward SSL to Elastic Runtime Router option in your Elastic Runtime Network Configuration.

  2. Verify that you have configured the firewall rules properly and that TCP ports 80, 443, 2222, and 8080 are accessible on your GCP load balancers. See Create Firewall Rules for the Network.

  3. Verify that you have configured the proper SSL certificates on your HTTP(S) load balancer in GCP.

  4. If necessary, re-upload a new certificate and update any required SSL Certificate and SSH Key fields in your Elastic Runtime network configuration.

Insufficient External Database Permissions

Upgrade issues can be caused when the external database user used for the network policy DB is given insufficient permissions. To avoid this upgrade issue, ensure that the networkpolicyserver database user has the ALL PRIVILEGES permission.

Create a pull request or raise an issue on the source for this page in GitHub