This topic describes common issues and their solutions for O&M operations that use Bastionhost.
Errors related to SSH O&M
Error: Invalid host fingerprint
Bastionhost V3.2 records the unique fingerprint of a host. If the host fingerprint changes, authentication fails. To resolve this issue, you can clear the host fingerprint in the host information of Bastionhost and try to log on again. For more information, see Clear host fingerprints.
The host fingerprint may change in the following scenarios:
Operating system reinstallation: If you reinstall the operating system, the SSH service may be reset. This causes the host fingerprint to change.
SSH key pair replacement: If you replace the server's SSH key pair, the host fingerprint also changes.
Use of different encryption algorithms: If you change the SSH server configuration to use a different encryption algorithm or key exchange method, the host fingerprint may also change.
Changes to the SSH service configuration: If you change the configuration on the SSH server, especially settings related to keys and authentication, the host fingerprint may be affected.
Server cloning or migration: In some cases, if you clone or migrate a machine, the new instance may generate a new SSH key.
Virtual machine snapshot restoration: If you restore a virtual machine from a snapshot, the SSH key may revert to its state at the time of the snapshot.
SSH server software update: In some cases, an update to the SSH server software can cause changes in the key configuration. This affects the host fingerprint.
Certificate invalidation or expiration: If you use certificate-based SSH keys, the host fingerprint may also change when the certificate becomes invalid or is updated.
Error: connect to [Default Network] xx.xx.xx.xx:xx failed, Connection refused(111)
This error usually occurs because the network is unreachable for one of the following reasons:
The host protocol port configured for Bastionhost is incorrect. You can check whether the relevant port is configured correctly for Bastionhost. For more information, see Configure Bastionhost.
Rules in security groups or firewalls prohibit Bastionhost from accessing the specified port. You can check whether Cloud Firewall protection is enabled for the Bastionhost instance and whether the corresponding security policy has restrictions that block access. For more information, see Best practices for access policies when Cloud Firewall is deployed with Bastionhost.
Error: SSH protocol handshake error, Socket error: Connection reset by peer
This error usually occurs because a firewall or a configuration policy blocks the connection. You can troubleshoot the issue as follows:
You can check if the Bastionhost IP address is in the server's /etc/hosts.allow file. If not, add it. You can also check if the Bastionhost IP address is in the /etc/hosts.deny file. If it is, remove it.
You can check if any device between Bastionhost and the server is blocking the connection and if access from Bastionhost is fully allowed. For more information about connection issues between Bastionhost and servers, see Issues related to connecting Bastionhost to servers.
Error: Permission denied, please try again
Permission is denied. The possible reasons are as follows:
The account or password for the server is incorrect.
Confirm that the logon account, such as root, has logon permissions. This means that `PermitRootLogin=yes` is configured in the ssh_config file.
You can check the server logs in /var/log/secure and /var/log/messages to see if other logon permissions are set, such as requiring two-factor authentication.
Error: ssh connect target xx failed (ssh: rejected: administratively prohibited (open failed))
This error may be caused by a proxy server connection issue, such as an expired proxy server password.
Errors related to RDP O&M
Error: remote desktop service CALs request failed
You can troubleshoot the issue as follows:
You can check if the remote desktop license for the server has expired. You can connect to the server from another Windows computer to test the license.
You can check if remote desktop permissions are enabled on the server.
Error: NLA or TLS security negotiation failure, Please check the username and password
First, you can use Microsoft Terminal Services Client (MSTSC) to bypass Bastionhost and connect directly to the server to verify if you can log on successfully. If you still cannot log on, you can troubleshoot the issue as follows:
Scenario 1: Check if "Allow connections only from computers running Remote Desktop with Network Level Authentication" is selected in the remote settings of your Windows system. If this option is selected and one of the following three conditions is met, an error occurs when you automatically log on to Windows using Bastionhost.
The Windows account and password are not hosted in Bastionhost.
The host account is not granted to the O&M personnel.
The account or password is incorrect.
Scenario 2: You can check if the Remote Desktop Session Host role service is installed on the ECS server. After this service is installed, more than two host accounts can log on at the same time. If the service has expired, the RDP protocol is unavailable by default. However, the server certificate may be cached locally. You can perform tests in multiple environments to verify this. For more information, see Configure multi-user logon for a Windows ECS instance.
Scenario 3: You can check if only the Administrator account can connect successfully, while standard accounts cannot.
If only standard accounts cannot connect, it may be because the accounts have not been granted remote access permissions. By default, administrators have this permission, but standard users must be granted it separately. You can add the users that you want to authorize in Remote Desktop in your Windows system.
Common database O&M errors
Error: [SQL Server Native Client 11.0] Protocol error in TDS stream (0)
You can close the database server connection or exit Navicat. Then, reopen it and try again. If the error persists, you can use a different connection tool.
Error: bad handshake
You can troubleshoot the issue as follows.
This error can occur if the database address stored in the Bastionhost interface is a domain name, but the user entered an IP address for the database connection.
This error can occur if the database account contains a space.
A DBeaver error may occur because the network between Bastionhost and the database is disconnected. You need to check the whitelist. For more information about issues related to connecting Bastionhost to databases, see Issues related to connecting Bastionhost to databases.
Navicat 11 error: Lost connection to MySQL server at 'reading initial communication packet', system error: 0
This error occurs because of an incompatibility with the Navicat version. You can use Navicat for MySQL 12 or 15. For more information about client remote connection tools, see Client remote connection tools and supported versions.
DBeaver error when connecting to MySQL 5.6: Unknown system variable 'transaction_isolation'
DBeaver is incompatible with MySQL 5.6. You can resolve this issue in one of the following ways:
You can change the database protocol driver to MariaDB for the connection.
You can use the Navicat database connection tool.
DBeaver error: Exhausted available authentication methods
This error may occur because the database O&M token has expired. You can request a new token to connect.
DBeaver error: arraycopy: last source index 262244 out of bounds for byte
This error occurs because of an incompatibility with the DBeaver connection tool. You can use a tool recommended on the official website. For more information, see Client remote connection tools and supported versions.