How to install the Security Center agent - Security Center

The Security Center agent is a lightweight security proxy that you deploy on your servers. After installation, it provides unified security management for all your servers, whether they are in the cloud or on-premises. This enables core protection features such as asset information collection, risk discovery, intrusion detection, and compliance checks. The agent is the foundation for securing your business assets and achieving centralized risk management and threat response.

How the agent works

The Security Center agent is a lightweight proxy that runs on your target server. Its workflow is as follows:

Installation and registration: When you run the installation command, the agent automatically downloads and registers its identity with the service using a unique installation key.
Data collection: The agent runs in the background to collect key security data in real time, such as processes, network connections, and logon behaviors.
Data reporting: The agent securely reports the collected data to the service over a Transport Layer Security (TLS) encrypted channel and adapts to different network environments, such as those that use a proxy.
Command execution: The agent receives and executes security commands from the service, such as vulnerability scans and baseline checks, and then reports the results.
Status synchronization: The agent sends periodic heartbeat signals to report its online and health status. This ensures that the console can display the real-time protection status of your servers.

Scope of application

System version: The agent must be installed on a supported operating system version. For more information, see Operating systems supported by the Security Center agent.
Server ownership: You can install the agent only on servers that belong to your current Alibaba Cloud account. Cross-account installation is not supported.
Note
To use Security Center to protect resources that belong to other Alibaba Cloud accounts, you can use the multi-account management feature.

Preparations

Installation notes

Installation time: The installation process takes about 5 minutes for a single server.
Resource usage: The agent is a lightweight proxy. During high-payload tasks such as scans, the resource consumption (CPU and memory) of the agent may temporarily increase.
Business impact: The installation process does not require a server restart and does not interrupt normal business operations.

Clean up previous installations

If the agent was previously installed on the server, you must first uninstall the agent and then manually check for and delete any remaining files in the installation directory. The default paths are as follows:

Linux: /usr/local/aegis.
Windows: C:\Program Files\Alibaba\aegis (32-bit) or C:\Program Files (x86)\Alibaba\aegis (64-bit).

Confirm assets to be installed

Log on to the Security Center console.
In the navigation pane on the left, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Agent > Agent Not Installed tab, view the number and list of servers where the agent is not installed.

Choose an installation method

Installation method	Scenarios	Key advantages
One-click installation	For running Alibaba Cloud ECS instances that are in a supported region, use a VPC, and have Cloud Assistant installed.	Simple. You can install the agent from the console without logging on to the server.
General installation	For any server with Internet access, including Alibaba Cloud ECS instances and servers that are not hosted on Alibaba Cloud.	Highly versatile. Supports all major operating systems.
Batch installation using an image	For creating multiple new servers with the agent pre-installed in a scalable and standardized way.	Scalable deployment. Create once, reuse for multiple deployments.
Installation in restricted or complex network environments	For servers without direct Internet access, with unstable network connectivity, or that require a specific endpoint.	Adapts to complex network scenarios using a proxy or leased line.

Detailed installation steps

One-click installation

Scenarios

You can use one-click installation if your Alibaba Cloud ECS instance meets all the following conditions:

The ECS instance is in the Running state and has the Cloud Assistant client installed.
Note
If the Cloud Assistant client is not installed on the server, you must install it first. For more information, see Cloud Assistant.
The network type is VPC.

The ECS instance must be in one of the following regions.

Region category	Region name
Asia-Pacific	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong) Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), and Japan (Tokyo)
Europe and Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
Middle East and India	UAE (Dubai)

Third-party security software is disabled or uninstalled to prevent installation conflicts.
Note
After the Security Center agent is installed, you can restart or reinstall the original third-party security software as needed.

Procedure

Log on to the Security Center console.
In the navigation pane on the left, choose System Settings > Feature Settings. In the upper-left corner of the console, select the region where your assets are located: China or Outside China.
On the Agent > Agent Not Installed tab, find the target server and click Install Agent in the Actions column.
Note
You can also select multiple servers and click Install to install the agent in batches.

General installation

Scenarios

Use this method for any server with Internet access.

Procedure

Log on to the Security Center console.
In the navigation pane on the left, choose System Settings > Feature Settings. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

On the Agent > Installation Command tab, copy the installation command that corresponds to your server's operating system.

Note

The command includes a dedicated installation key, which is the value after -k.

Default installation command: A quick and convenient option that requires no extra configuration. Use this when you do not need to immediately assign the asset to a specific group.
Custom installation command: A flexible option that lets you configure the server group and command expiration time. Use this to automate asset categorization during installation for fine-grained management.

Default installation command

Servers on which the agent is installed using the default installation command are assigned to the Ungrouped group. For more information about how to view and create server groups, see Manage server groups.

Custom installation command

Click Create Installation Command, configure the basic information of the command, and then click OK. Then, on the Installation Command page, view and copy the new command. The configuration information of the new installation command is described in the following table:

Configuration item	Description
Expiration Time	The expiration time of the command. After the command expires, it becomes invalid and the agent cannot be installed.
Service Provider	From the drop-down list, select the SP of the server.
Default Group	Select a server group. For more information about how to view and create server groups, see Manage server groups.
OS	Select the operating system of the server on which you want to install the agent.
Create Image System	Select No.
Access Method	Set the connection type of the server to Public Endpoint. The server communicates with the Security Center service directly through a public IP address, without requiring extra proxy or PrivateLink configurations.

Log on to the server and run the installation command with administrator or root permissions.
- Windows: In Command Prompt (CMD) or PowerShell, run the copied installation command to download and install the agent.
- Linux: In the command-line interface of the server, run the copied installation command to download and install the agent plugin.

Batch installation using an image

Scenarios

This method is suitable for scenarios where you need to create servers on a large scale. The core principle is to install the agent files on a template server without activating them, and then create an image from that server.

Procedure

Prepare a template server and generate an image installation command
1. Prepare a clean server to be used as an image template. Make sure that no third-party security software is installed on the server.
2. Log on to the Security Center console.
3. In the navigation pane on the left, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
4. On the Agent > Installation Command tab, click Create Installation Command and configure the following parameters in the dialog box that appears:
  - Create Image System: Select Yes. This is the most critical step.
  - OS: Select the operating system that matches the template server.
  - Other options (such as Default Group): Configure the options as needed. For more information, see Configuration items.
Run the installation on the template server
1. Log on to the template server with administrator permissions.
2. Run the image installation command that you copied in the previous step. The script downloads the required agent files to the specified directory but does not start any service processes.
3. After the installation is complete, immediately shut down the template server. Do not restart the template server.
Create and use the image
Warning
- Do not restart the template server when you create the image.
- Before you use the same template server to create multiple images, make sure to uninstall and clean up the old agent and obtain a new installation command. This prevents registration failures that are caused by conflicting unique agent identifiers (agent IDs).
1. Use the powered-off template server to create a custom OS image. For more information, see Create a custom image.
2. Use the image to create a new server instance. For more information, see Create an ECS instance from a custom image.
3. The agent automatically completes initialization when the new instance starts for the first time. It generates a unique identifier (agent ID) and connects to Security Center.

Installation in restricted or complex network environments

Scenarios

Security Center provides the following installation methods for complex network environments:

Access via proxy: For servers that cannot directly access the Internet.
Access via a leased line that is not provided by Alibaba Cloud (outside China): When you connect to an Alibaba Cloud region over a leased line, you need to specify the region-specific domain name of Security Center.

Procedure

Important

The host on which you run this installation command must be able to access the Security Center service endpoints through the specified method, such as the Internet, a proxy, a leased line, or a VPN.
This installation command does not support 32-bit Linux operating systems.

Access via proxy

First, deploy and configure a proxy cluster. For more information, see Access via proxy.
Log on to the Security Center console.
In the navigation pane on the left, choose System Settings > Feature Settings. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese MainlandOutside China.
On the Agent > Installation Command tab, click Create Installation Command and configure the following parameters in the dialog box that appears:
- Access Method: Select Self-managed Proxy Cluster and select the created proxy cluster from the drop-down list. This is the most critical step.
- Create Image System: Select No.
  Note
  If you select Yes, see Batch installation using an image to complete the subsequent steps.
- OS: Select the operating system that matches the target server.
- Other options (such as Default Group): Configure the options as needed. For more information, see Configuration items.
Use the generated command to install the agent. The agent communicates with Security Center through the specified proxy.

Access via a leased line that is not provided by Alibaba Cloud (outside China)

The following table lists the region-specific domain names of Security Center for servers that are not hosted on Alibaba Cloud and are located outside China.

Important

Make sure that the corresponding region-specific domain name of Security Center is accessible.

Region	Domain name
Malaysia (Kuala Lumpur)	jsrv-ap-southeast-3.aegis.aliyuncs.com update-ap-southeast-3.aegis.aliyuncs.com
Philippines (Manila)	jsrv-ap-southeast-6.aegis.aliyuncs.com update-ap-southeast-6.aegis.aliyuncs.com
South Korea (Seoul)	jsrv-ap-northeast-2.aegis.aliyuncs.com update-ap-northeast-2.aegis.aliyuncs.com
Thailand (Bangkok)	jsrv-ap-southeast-7.aegis.aliyuncs.com update-ap-southeast-7.aegis.aliyuncs.com
SAU (Riyadh - Partner Region)	jsrv-me-central-1.aegis.aliyuncs.com update-me-central-1.aegis.aliyuncs.com
Indonesia (Jakarta)	jsrv-ap-southeast-5.aegis.aliyuncs.com update-ap-southeast-5.aegis.aliyuncs.com
UK (London)	jsrv-eu-west-1.aegis.aliyuncs.com update-eu-west-1.aegis.aliyuncs.com
Germany (Frankfurt)	jsrv-eu-central-1.aegis.aliyuncs.com update-eu-central-1.aegis.aliyuncs.com
Japan (Tokyo)	jsrv-ap-northeast-1.aegis.aliyuncs.com update-ap-northeast-1.aegis.aliyuncs.com
US (Silicon Valley)	jsrv-us-west-1.aegis.aliyuncs.com update-us-west-1.aegis.aliyuncs.com
US (Virginia)	jsrv-us-east-1.aegis.aliyuncs.com update-us-east-1.aegis.aliyuncs.com

Obtain the installation key: In the default installation command generated in the console, the value after -k is the installation key for Security Center.

Select an installation command, log on to the server, and then run the command.

Important

In the following commands, replace <YOUR_INSTALL_KEY> with your actual installation key.

Malaysia (Kuala Lumpur)

Linux

wget "https://aegis.alicdn.com/download/install/2.0/linux/AliAqsInstall.sh" && chmod +x AliAqsInstall.sh && ./AliAqsInstall.sh  "-j=jsrv-ap-southeast-3.aegis.aliyuncs.com|jsrv-ap-southeast-1-internet.aegis.aliyuncs.com" "-u=update-ap-southeast-3.aegis.aliyuncs.com|aegis.alicdn.com|update-ap-southeast-1-internet.aegis.aliyuncs.com" -k=<YOUR_INSTALL_KEY>

Windows

powershell -executionpolicy bypass -c "(New-Object Net.WebClient).DownloadFile('http://aegis.alicdn.com/download/install/2.0/windows/AliAqsInstall.exe', $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath('.\AliAqsInstall.exe'))"; "./AliAqsInstall.exe '-j=jsrv-ap-southeast-3.aegis.aliyuncs.com|jsrv-ap-southeast-1-internet.aegis.aliyuncs.com' '-u=update-ap-southeast-3.aegis.aliyuncs.com|aegis.alicdn.com|update-ap-southeast-1-internet.aegis.aliyuncs.com' -k=<YOUR_INSTALL_KEY>"

Other regions

Replace $jsrv_domain with the Region domain name that starts with jsrv, and $update_domain with the Region domain name that starts with update.

Linux

wget "https://aegis.alicdn.com/download/install/2.0/linux/AliAqsInstall.sh" && chmod +x AliAqsInstall.sh && ./AliAqsInstall.sh  "-j=$jsrv_domain|jsrv-ap-southeast-1-internet.aegis.aliyuncs.com" "-u=$update_domain|aegis.alicdn.com|update-ap-southeast-1-internet.aegis.aliyuncs.com" -k=<YOUR_INSTALL_KEY>

Windows

powershell -executionpolicy bypass -c "(New-Object Net.WebClient).DownloadFile('http://aegis.alicdn.com/download/install/2.0/windows/AliAqsInstall.exe', $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath('.\AliAqsInstall.exe'))"; "./AliAqsInstall.exe '-j=$jsrv_domain|jsrv-ap-southeast-1-internet.aegis.aliyuncs.com' '-u=$update_domain|aegis.alicdn.com|update-ap-southeast-1-internet.aegis.aliyuncs.com' -k=<YOUR_INSTALL_KEY>"

Verify the installation status

After you install the agent, the system automatically downloads the relevant Security Center agent files to the server and starts the necessary processes. You can use the following methods to verify whether the installation was successful:

Verify in the console: This is the most convenient check method. You can check the agent status from a unified interface without the need to log on to the server. This method relies on platform data synchronization, which usually has a latency of several minutes. It is suitable for a quick overview of the global status.
Verify on the server: This provides immediate and accurate local status feedback on the server. You need to log on to the server to run commands. This is the preferred way to immediately confirm the installation or troubleshoot issues.

Verify in the console (approximately 5-minute latency)

You can check the online status of the agent on the Host page of the Security Center console:

For an Alibaba Cloud server, the icon in the Agent column changes from to .
A server that is not hosted on Alibaba Cloud is added to the server list, and the icon in the Agent column changes from to .
Important
The Security Center console automatically synchronizes asset information for installed agents every minute. Due to network conditions, the synchronization for servers that are not hosted on Alibaba Cloud may be delayed after the agent is installed. If the server information does not appear on the Host page, click Synchronize Assets to manually synchronize the asset information. For more information, see Synchronize asset information.

Verify on the server (real-time)

Verify the installation by checking the running status of agent-related processes and network connectivity on the server.

Check the service processes: Check whether the core processes of the Security Center agent (AliYunDun and AliYunDunUpdate) are running on the server. For more information about the agent processes, see Security Center agent processes.

Linux

Command to view processes:

# Check the core processes. AliYunDun, AliYunDunMonitor, and AliYunDunUpdate must all exist.
ps -ef | grep -E 'AliYunDun|YunDunMonitor|YunDunUpdate'

# Check the service status. The status should be active (running).
systemctl status aegis

Example of normal status output:

root        5472       1  0 Sep10 ?        00:00:18 /usr/local/aegis/aegis_update/AliYunDunUpdate
root        5524       1  0 Sep10 ?        00:01:34 /usr/local/aegis/aegis_client/aegis_12_61/AliYunDun
root        5546       1  0 Sep10 ?        00:03:13 /usr/local/aegis/aegis_client/aegis_12_61/AliYunDunMonitor

● aegis.service - LSB: Aegis service
   Loaded: loaded (/etc/rc.d/init.d/aegis; generated)
   Active: active (running) since Mon 2023-10-30 10:00:00 CST; 1 day 2h ago

Windows

Method 1: View the processes in Task Manager

Method 2: Run commands in PowerShell

Command to view processes:

# Check the core processes.
Get-Process | Where-Object {$_.Name -match '^(AliYunDun|AliYunDunMonitor|AliYunDunUpdate)$'}

# Check the service status. The status should be Running.
Get-Service | Where-Object {$_.Name -match 'Aegis|AliYunDun'}

Example of normal status output:

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    380      26    15948      19656     615.75   6072   0 AliYunDun
    599      31    47576      37356     968.73   2488   0 AliYunDunMonitor
    257      14     8072      11336     232.03   2904   0 AliYunDunUpdate

Status   Name               DisplayName
------   ----               -----------
Running  Alibaba Securit... Alibaba Security Aegis Detect Service
Running  Alibaba Securit... Alibaba Security Aegis Update Service

Check network connectivity: Run the following commands on the server to confirm whether it can connect to the Security Center service endpoints over port 443 or 80. If the connection is successful, the terminal displays Connected to .... If the connection fails, the terminal displays Connection refused or Connection timed out.
Note
Make sure that the server can connect to both a jsrv and an update service domain name. The jsrv domain name is used to issue instructions, such as vulnerability scans and virus detection. The update domain name is used to download and update agent plugins.
- telnet jsrv.aegis.aliyun.com 443
- telnet jsrv2.aegis.aliyun.com 443
- telnet jsrv3.aegis.aliyun.com 443
- telnet update.aegis.aliyun.com 443
- telnet update2.aegis.aliyun.com 443
- telnet update3.aegis.aliyun.com 443

Troubleshooting and solutions

Installation command fails to execute

If the agent installation command fails to run on the server, common causes and their solutions are as follows:

Insufficient script execution permissions

Description: The system prompts Permission denied when you run the installation script.

Solution: Switch to an account with administrator or root permissions and run the installation command.

Self-protection is running

Issue: An attempt to reinstall the Security Center client on a server fails after a virus has been removed. An error message indicates that the self-protection feature is running and must first be uninstalled or disabled in the Security Center console.

Solution: Restart the server. This disables the self-protection process. You can then install the client.

Important

Restarting a server carries risks. Evaluate these risks and proceed with caution.

Agent is offline

If the agent status is "Offline" in the console, the communication between the agent and the service is interrupted. Common check methods and solutions are as follows:

Check the agent processes

Check method: Confirm that the two core processes, AliYunDun and AliYunDunUpdate, are running.

Linux: Use the ps -ef | grep AliYunDun command to check.
Windows: Open Task Manager, go to the Details or Services tab, and look for the related processes and services.

Solution: Manually restart the agent processes.

Linux

Run the following commands to restart the processes.

Stop the related processes:

killall AliYunDun
killall AliYunDunUpdate

Start the latest version of the agent.
In the /usr/local/aegis/aegis_client directory, find the aegis_10_xx folders and select the one with the highest version number as the latest version.
For example, among aegis_10_70, aegis_10_73, and aegis_10_75, select aegis_10_75.
```
/usr/local/aegis/aegis_client/aegis_10_xx/AliYunDun
```

Windows

In the Services panel, restart the two Security Center services: Alibaba Security Aegis Detect Service and Alibaba Security Aegis Update Service. In the services list, right-click the target service and select Restart.

Check the network connection

Check method: Confirm that your firewall or security group allows outbound traffic to jsrv.aegis.aliyun.com or update.aegis.aliyun.com. The installation also fails if the server cannot connect to the Security Center service endpoints.

Solution:

Confirm that the DNS service on the server is running as expected.
If the DNS service is not running, restart the server or check whether the DNS service is faulty.
Check whether network access policies are configured on the server.
1. Firewall access control list (ACL) rules
  Make sure that you have added the service IP addresses or domain names of Security Center to the whitelist of your firewall to allow network access. You need to add the IP addresses or domain names only to the outbound whitelist. You do not need to configure the inbound whitelist.
  Note
  If you use Alibaba Cloud Firewall, see Create an outbound access control policy for traffic from an internal network to the Internet for the procedure.
  Example firewall configuration (iptables):
```
# Allow access to the control service
iptables -A OUTPUT -p tcp -d jsrv.aegis.aliyun.com --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d jsrv.aegis.aliyun.com --dport 80 -j ACCEPT

# Allow access to the update service
iptables -A OUTPUT -p tcp -d update.aegis.aliyun.com --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d update.aegis.aliyun.com --dport 80 -j ACCEPT
```
2. Alibaba Cloud security group rules
  If you use an Alibaba Cloud ECS instance, see Manage security groups for the specific steps.
  Note
  Allow outbound traffic for the 100.100.0.0/16, 106.11.0.0/16, and 100.103.0.0/16 CIDR blocks. Do not restrict the port number, or allow traffic on ports 80 and 443.
  The following is an example configuration for the 100.100.0.0/16 CIDR block:
  - Direction: Outbound
  - Authorization Policy: Allow
  - Protocol Type: TCP
  - Port Range: 80/443
  - Authorization Object: 100.100.0.0/16

Check system resources

Check method:

Confirm that the server has sufficient resources. The agent cannot start if resources are exhausted.

CPU/Memory: Use top (Linux) or Task Manager (Windows) to check the usage.
Disk space: Use df -h (Linux) or This PC (Windows) to check the remaining disk space.

Solution:

High resource usage
- If the AliYunDun process is the cause, contact technical support and provide the relevant logs.
- If other business processes are the cause, optimize your business applications or consider upgrading the server configuration.
Insufficient disk space: Delete unnecessary files to free up disk space.

Check for duplicate agent IDs

Check method: This issue often occurs when you use the same system image to create multiple server instances. Check whether the value of the uuid field in the following configuration file is duplicated across multiple servers.

Linux: /usr/local/aegis/aegis_client.conf
Windows:
- 32-bit: C:\Program Files\Alibaba\aegis\aegis_client.conf.
- 64-bit: C:\Program Files (x86)\Alibaba\aegis\aegis_client.conf.

Solution:

Before you use the same template server to create multiple images, uninstall and clean up the old agent, and then obtain a new installation command.

Check for software conflicts

Check method: Confirm whether other Host-based Intrusion Detection System (HIDS), Endpoint Detection and Response (EDR), or antivirus software is installed on the server. This software may conflict with the Security Center agent.

Solution:

Disable or uninstall the third-party security software. After the Security Center agent is installed, you can restart or reinstall the original third-party security software as needed.

Analyze agent logs

Check method: Check the agent logs for specific error messages. The log file paths are as follows:

Linux: \usr\local\aegis\log\aegis.log.
Windows:
- 32-bit: C:\Program Files\Alibaba\aegis\log\aegis.log.
- 64-bit: C:\Program Files (x86)\Alibaba\aegis\log\aegis.log.

Solution:

Troubleshoot based on the error messages in the logs. If you cannot resolve the errors, contact technical support and provide the complete log files.

Advanced troubleshooting: Agent Troubleshooting feature

Security Center provides the Agent Troubleshooting feature, which lets you perform a comprehensive check on the agent. This helps you quickly locate issues, such as system exceptions suspected to be caused by the agent, high CPU usage of agent processes, installation failures, and abnormal offline status, and provides causes and solutions. The procedure and an example configuration are as follows:

In the navigation pane on the left, choose Assets > Host.
On the Server tab of the Host page, select the server to troubleshoot from the server list. In the More Operations menu, click Agent Troubleshooting.
After you configure the troubleshooting requirements, click Start Check.
- Issue Type: Overall Check (Unknown Issues).
- Mode: Enhancement Mode.
  Note
  Enhancement mode collects and reports agent-related data such as network, process, and log information to Security Center for analysis. The troubleshooting process takes about 5 minutes.
After the diagnosis is complete, you can view the results in the Agent Task Management panel in the upper-right corner of the Host page.
On the task details page, follow the solution provided in the Result column.
Important
If no solution is provided in the Result column, click Download Diagnostic Logs and submit the exported diagnostic log and your Alibaba Cloud account ID to Security Center technical support for further analysis.

FAQ

Installation and uninstallation

How do I uninstall the agent?
Security Center provides two uninstallation methods: one-click uninstallation from the console and manual uninstallation. For more information, see Uninstall the Security Center agent.
Can I restart the template server when I create an image?
No. After you run the image installation command, you must immediately shut down the server to create the image. A restart activates the agent on the template server and generates a fixed instance ID. All servers that are created from this image fail to report data due to ID conflicts.

Assets and groups

After I manually install the agent, to which group is the server automatically added?
Servers on which the agent is installed using the default installation command are automatically assigned to the Ungrouped group. You can specify a Default Group when you Create Installation Command, or you can manually change the server's group on the Host Assets page after installation.
Why can't I see my server in the "Not Installed" list?
Possible reasons include the following:
1. The agent is already installed on the server.
2. The server was recently created, and its asset information has not yet been synchronized. Wait a few minutes or manually click Sync Now.
3. The server does not belong to the current Alibaba Cloud account or the selected region.