This topic provides answers to some frequently asked questions about the connections between Bastionhost and servers.
What do I do if I fail to access a server by using its public IP address from my bastion host?
You can use the following methods to troubleshoot this issue:
Test whether your bastion host can access the server over the configured port. For more information, see Diagnose network issues. If the port of the server is changed to a non-standard port, you must change the service port of the server in the Assets module of the console of the bastion host. For more information, see Change the service port of a host.
Check whether the security group allows access from the egress public IP address of your bastion host. For more information about how to configure a whitelist, see Add a security group rule.
You can log on to the Bastionhost console and obtain the egress public IP address of your bastion host in the bastion host list.
Check whether the server is configured with a firewall or other protection software, such as iptables and Windows firewall, which blocks access from your bastion host.
Check whether intermediate devices such as Cloud Firewall prohibit your bastion host from accessing the server. Check whether Cloud Firewall is used to protect your bastion host and whether access control policies are configured to block the access of your bastion host. For more information, see Configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost.
What do I do if I fail to access a server by using its private IP address from my bastion host?
You can use the following methods to troubleshoot this issue:
Test whether your bastion host can access the server over the configured port. For more information, see Diagnose network issues. If the port of the server is changed to a non-standard port, you must change the service port of the server in the Assets module of the console of the bastion host. For more information, see Change the service port of a host.
Check whether the security group allows access from the egress private IP address of your bastion host. For more information about how to configure a whitelist, see Add a security group rule.
You can log on to the Bastionhost console and obtain the egress private IP address of your bastion host in the bastion host list.
Check whether your bastion host can communicate with the server over a private network and whether your bastion host and the server reside in the same virtual private cloud (VPC). If they are not in the same VPC, you can use Cloud Enterprise Network (CEN) to connect the VPC in which your bastion host resides to the VPC in which the server resides, or upgrade your bastion host to the Enterprise edition to enable your bastion host to access the Elastic Compute Service (ECS) assets in another VPC by using a public proxy server. For more information, see What is CEN? or Best practices of hybrid O&M.
NoteIf the VPC of your bastion host is not in the same region as the VPC of the server, you need to purchase a CEN bandwidth plan. If you do not purchase a bandwidth plan, the data transmission rate for cross-region access is only 1 Kbit/s by default, which is insufficient to ensure normal O&M. For more information, see Work with a bandwidth plan.
Check whether the server is in a classic network. If the server resides in a classic network, you need to connect the VPC in which your bastion host resides to this classic network by using ClassicLink. For more information about the ClassicLink feature, see Overview.
NoteIf the issue persists after you connect the VPC in which your bastion host resides to the classic network, check whether the egress IP addresses of your bastion host are allowed in the Elastic Compute Service security group. You can log on to the Bastionhost console and obtain the egress IP addresses of your bastion host in the bastion host list.
For more information about how to enable ports, see Add a security group rule.
Check whether the server is configured with a firewall or other protection software, such as iptables and Windows firewall, which blocks access from your bastion host.
Check whether intermediate devices such as Cloud Firewall prohibit your bastion host from accessing the server. Check whether Cloud Firewall is used to protect your bastion host and whether access control policies are configured to block the access of your bastion host. For more information, see Configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost.
Check whether the IP address of the server conflicts with the egress private IP address of your bastion host and the IP address resolved from the internal domain name. This causes the failure of sending server data to your bastion host.
Check whether the server uses a privately used public IP address. If the server uses a privately used public IP address, you can configure the IP address in the Bastionhost console. For more information, see Configure privately used public IP addresses.
What do I do if an error is returned during password verification for a new host account in Bastionhost?
You can use the following methods to troubleshoot the issue:
Issue 1: Password verification timed out or failed.
Password verification timeout is generally caused by network disconnection. You need to first test the connectivity between your bastion host and the host. For more information, see Diagnose network issues.
If connectivity exceptions occur, the network between your bastion host and the host may be disconnected. For more information, see What do I do if I fail to access a server by using its public IP address from my bastion host? and What do I do if I fail to access a server by using its private IP address from my bastion host?
If no connectivity exceptions occur, the error may be caused by network synchronization delay. You can host the account and password on your bastion host before you perform host O&M. For more information about how to host accounts and passwords on a bastion host, see Configure account settings for a host.
Issue 2: Password verification failed due to incorrect password.
The account and password entered for password verification must be the same as those set on the host. You can check whether the entered account and password are correct. For more information, see Configure account settings for a host.
Why are no hosts displayed on the Host O&M page of the console of my bastion host?
If the RAM user that you use does not have the permissions to access hosts, you must grant the permissions to the RAM user before you can view the hosts. For more information, see Authorize a user to manage hosts.
If a RAM user has the permissions to access hosts, use the RAM user to log on to the console of your bastion host and view hosts.
Why is EMPTY displayed after an O&M engineer logs on to a bastion host?
If you grant the O&M engineer the permissions on assets but not the permissions on host accounts after you select Unauthorized Asset Accounts Are Allowed in the System Settings module of the bastion host, EMPTY is displayed after the O&M engineer logs on to the bastion host. For more information about how to grant permissions on host accounts to an O&M engineer, see Authorize the accounts of a single host for a user.
What do I do if I fail to access a server by using a key pair from my bastion host?
This issue occurs only on bastion hosts whose version is earlier than V3.2.38.
Because a server that runs an operating system such as Rocky Linux 9.0 or later or Ubuntu 22.04 or later uses OpenSSH 8.7 or later, the ssh-rsa public key signature algorithm is disabled by default. As a result, you fail to access the server by using a key pair from your bastion host. You can perform the following steps to configure the sshd_config configuration file to manually enable the ssh-rsa public key signature algorithm on the server:
Open the sshd_config configuration file.
vim /etc/ssh/sshd_configAdd the following configuration items to the sshd_config configuration file and save the file:
HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsaRestart sshd.
systemctl restart sshd