Bastionhost server connection issues - Bastionhost - Alibaba Cloud Documentation Center

This topic describes common issues and their solutions when you connect to a server using Bastionhost.

What do I do if I fail to access a server through Bastionhost?

Test the connection between the Bastionhost instance and the server's IP address and port. For more information, see Network diagnostics.

If the connectivity test fails, troubleshoot the issue as follows:
- Check whether the server port number was changed to a non-standard protocol port. If so, you can modify the service port of the host on the Assets page in the Bastionhost console. For more information, see Modify the service port of a host.
- Check whether the security group allows traffic from the egress IP address of the Bastionhost instance. You can find the egress IP address in the instance list on the Bastionhost console. For more information about how to add a security group rule, see Manage security group rules.
- Check whether security policies on the server block access from the Bastionhost instance. Check for blocking policies in network ACLs, security groups, Cloud Firewall, and the server's internal firewall, such as iptables or Windows Firewall.
- Check whether the `/etc/hosts.allow` and `/etc/hosts.deny` configuration files on the server restrict access from the Bastionhost instance.
- Check whether Cloud Firewall protection is enabled for the Bastionhost instance and whether any security policies are configured to block access. For more information, see Best practices for access policies in a joint deployment of Cloud Firewall and Bastionhost.
- If the Bastionhost instance fails to access the server over the internal network, check whether a network connection is established between them. For more information, see Best practices for hybrid O&M scenarios.
- Check whether the server's IP address conflicts with the egress IP address of the Bastionhost instance or the IP address resolved from the internal endpoint. A conflict can prevent server data from reaching the Bastionhost instance.
- Check whether the server uses a public IP address for a private network. If it does, you can configure this setting in Bastionhost. For more information, see Configure Bastionhost.
If the connectivity test is successful, troubleshoot the issue as follows:
- Try to connect directly to the server by bypassing the Bastionhost instance. If the connection fails, troubleshoot the protocol connection issue on the server. For more information, see Methods to troubleshoot failures to remotely connect to a Windows instance and Troubleshooting guide for failures to remotely log on to a Linux instance using SSH.
- If you can connect to the server directly but not through the Bastionhost instance, check for specific error messages. For more information, see Common Bastionhost O&M errors.

If the preceding troubleshooting steps do not resolve the issue, you can submit a ticket.

What do I do if a password verification error occurs for a new host account?

You can use the following methods to resolve the issue:

Symptom 1: The verification times out or fails.
A verification timeout is usually caused by network inaccessibility. First, test the connectivity between the Bastionhost instance and the asset. For more information, see Network diagnostics.
- If the connectivity is abnormal, the network connection between the Bastionhost instance and the host may be unavailable. For more information, see Server connection issues.
- If the connectivity is normal but the verification still times out or fails, the network synchronization may be delayed. You can save the account password to the Bastionhost instance and then try to perform operations and maintenance (O&M) on the asset. For more information about how to save an account password to Bastionhost, see Configure a host account.
Symptom 2: The verification fails due to an incorrect password.
- During password authentication, the account password that you enter must be the same as the one set on the asset. Check whether you entered the correct account password. For more information, see Configure a host account.
- If you are performing O&M on a Linux host, check whether the root account or password authentication is disabled in the ssh_config file.

Why are hosts not displayed on the O&M page?

The Resource Access Management (RAM) user is not granted permissions on the host. You can grant the RAM user permissions on the host and then check again. For more information, see Grant a user permissions on assets and asset accounts.
You are not logged on as the correct RAM user. Log on to the Bastionhost console as the RAM user who is granted permissions on the host.

Why is an EMPTY account displayed after I log on to Bastionhost?

If you select Unauthorized Asset Accounts Are Allowed in System Settings and grant an O&M engineer permissions only on an asset but not on its host accounts, an EMPTY account is displayed at logon. For more information about how to grant permissions on a host account, see Grant a user permissions on an asset account.

What do I do if I fail to access a server from Bastionhost using key-based authentication?

Note

This issue occurs only on Bastionhost instances that run a version earlier than V3.2.38.

On some operating systems, such as Rocky 9 and Ubuntu 22.04 or later, servers that use OpenSSH 8.7 or later have the ssh-rsa public key signature algorithm disabled by default. This causes a failure when Bastionhost tries to access the server using key-based authentication. You can follow these steps to configure the sshd_config file and manually enable the parameters for the ssh-rsa public key signature algorithm on the server.

Open the sshd_config configuration file.
```
vim /etc/ssh/sshd_config
```
Add the following content to the sshd_config configuration file and save the file.
```
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
```
Restart the sshd service.
```
systemctl restart sshd
```