This page covers common errors that occur during SSH, RDP, and database O&M operations in Bastionhost, along with steps to resolve them.
SSH O&M errors
Invalid host fingerprint
Invalid host fingerprintBastionhost V3.2 records a unique fingerprint for each host. If the fingerprint changes, authentication fails.
Solution: Clear the host fingerprint in the host information settings, then try to log on again. For details, see Clear host fingerprints.
The fingerprint changes in the following scenarios:
| Scenario | Cause |
|---|---|
| Operating system reinstallation | The SSH service resets, generating a new fingerprint. |
| SSH key pair replacement | Replacing the server's SSH key pair changes the fingerprint. |
| Encryption algorithm or key exchange method change | Modifying the SSH server configuration to use a different algorithm or method affects the fingerprint. |
| SSH service configuration change | Changes to key and authentication settings in the SSH server configuration can affect the fingerprint. |
| Server cloning or migration | The new instance may generate a new SSH key. |
| Virtual machine snapshot restoration | The SSH key reverts to its state at the time of the snapshot. |
| SSH server software update | Some updates change the key configuration, which affects the fingerprint. |
| Certificate invalidation or expiration | For certificate-based SSH keys, an expired or updated certificate changes the fingerprint. |
Connection refused (111)
connect to [Default Network] xx.xx.xx.xx:xx failed, Connection refused(111)Bastionhost cannot reach the target host. Check the following:
| Possible cause | Action |
|---|---|
| Incorrect port configuration | Verify that the host protocol port configured in Bastionhost is correct. See Configure Bastionhost. |
| Security group or firewall blocking access | Check whether Cloud Firewall is enabled for the Bastionhost instance and whether any security policy blocks access to the specified port. See Best practices for access policies when Cloud Firewall is deployed with Bastionhost. |
SSH handshake error
SSH protocol handshake error, Socket error: Connection reset by peerA firewall or configuration policy is blocking the connection.
Solution:
Check whether the Bastionhost IP address is in
/etc/hosts.allowon the target server. If it is not, add it.Check whether the Bastionhost IP address is in
/etc/hosts.deny. If it is, remove it.Check whether any network device between Bastionhost and the server is blocking the connection.
For more information, see Issues related to connecting Bastionhost to servers.
Permission denied
Permission denied, please try againCheck the following causes:
| Possible cause | Action |
|---|---|
| Incorrect account or password | Verify the logon credentials configured for the host in Bastionhost. |
| Root logon disabled | If logging on as root, confirm that PermitRootLogin=yes is set in the ssh_config file. |
| Additional logon restrictions | Check /var/log/secure and /var/log/messages for logon restrictions such as two-factor authentication requirements. |
SSH connect target failed
ssh connect target xx failed (ssh: rejected: administratively prohibited (open failed))This error is typically caused by a proxy server connection issue, such as an expired proxy server password. Verify the proxy server credentials and renew them if necessary.
RDP O&M errors
Remote desktop service CALs request failed
remote desktop service CALs request failedCheck the following:
| Possible cause | Action |
|---|---|
| Expired remote desktop license | Verify whether the remote desktop license has expired by connecting to the server from another Windows computer directly. |
| Remote desktop permissions disabled | Confirm that remote desktop permissions are enabled on the server. |
NLA or TLS security negotiation failure
NLA or TLS security negotiation failure, Please check the username and passwordFirst, use Microsoft Terminal Services Client (MSTSC) to connect directly to the server, bypassing Bastionhost, to verify whether you can log on successfully. If you still cannot log on, troubleshoot using the following scenarios.
Scenario 1: Network Level Authentication (NLA) is enforced
Check whether Allow connections only from computers running Remote Desktop with Network Level Authentication is selected in the remote settings of the Windows system. If it is selected, automatic logon through Bastionhost fails when any of the following conditions apply:
The Windows account and password are not hosted in Bastionhost.
The host account has not been granted to the O&M personnel.
The account or password is incorrect.
Scenario 2: Remote Desktop Session Host service expired
Check whether the Remote Desktop Session Host role service is installed on the ECS instance. When installed, this service allows more than two simultaneous logons. If the service license expires, RDP becomes unavailable by default, though the server certificate may remain cached locally.
To test for this, connect from multiple environments. To configure multi-user logon, see Configure multi-user logon for a Windows ECS instance.
Scenario 3: Standard accounts cannot connect
If only the Administrator account connects successfully while standard accounts cannot, the standard accounts are missing remote access permissions. By default, only administrators have this permission. To grant it, add the accounts in Remote Desktop in your Windows system settings.
Database O&M errors
SQL Server: Protocol error in TDS stream
[SQL Server Native Client 11.0] Protocol error in TDS stream (0)Close the database server connection or exit Navicat, then reopen and retry. If the error persists, switch to a different database connection tool.
Bad handshake
bad handshakeCheck the following causes:
| Possible cause | Action |
|---|---|
| Domain name vs. IP address mismatch | The database address stored in Bastionhost is a domain name. Use the domain name rather than an IP address when connecting. |
| Space in the database account name | Remove the space from the database account name. |
| Network disconnection between Bastionhost and the database | Check the whitelist configuration. |
For more information, see Issues related to connecting Bastionhost to databases.
Navicat 11: Lost connection to MySQL server
Lost connection to MySQL server at 'reading initial communication packet', system error: 0Navicat 11 is incompatible with the Bastionhost database O&M feature. Switch to Navicat for MySQL 12 or Navicat for MySQL 15. For a full list of supported tools and versions, see Client remote connection tools and supported versions.
DBeaver: Unknown system variable 'transaction_isolation'
Unknown system variable 'transaction_isolation'DBeaver is incompatible with MySQL 5.6. Resolve the issue using one of the following options:
Change the database protocol driver to MariaDB for the connection.
Switch to the Navicat database connection tool.
DBeaver: Exhausted available authentication methods
Exhausted available authentication methodsThe database O&M token has expired. Request a new token and reconnect.
DBeaver: Arraycopy out of bounds
arraycopy: last source index 262244 out of bounds for byteThis error is caused by a DBeaver version incompatibility. Switch to a supported connection tool. For recommended tools and versions, see Client remote connection tools and supported versions.