UI: Invalid Snapshot via Performance Standby Nodes – HashiCorp Help Center

With the use of Vault Enterprise it's possible to encounter issues when a snapshot is download from a performance standby node (ie not Leader).

In this scenario, the downloaded snapshot.gz file may be invalid and only a few bytes in size (for example, 9 bytes). Attempting to run a snapshot inspection against this file will fail, indicating that the snapshot is corrupted or not valid.

vault operator raft snapshot inspect snapshot.gz

Error reading snapshot: failed to decompress snapshot: unexpected EOF

This is a known limitation in the product is common to all versions including Vault 1.21.0 and prior.

Resolution and Workaround

Always download snapshots directly from the current leader node, either through its UI or API.
Ensure your routing or load balancer configuration directs snapshot-related requests exclusively to the leader node.
Consider creating a separate DNS entry dedicated to administrative tasks (such as snapshot operations) that routes only to the leader node.

Related Resources:

Vault Support KB: CLI / API snapshot save fails with message: "Error taking snapshot: incomplete snapshot, unable to read SHA256SUMS.sealed file"
GitHub Issue: vault operator raft snapshot save and restore fail to handle redirection to the active node

Resolution and Workaround

Related Resources:

Articles in this section