This topic provides answers to some frequently asked questions about connections between client tools and bastion hosts.
I cannot use my client to access my bastion host using the public endpoint of the bastion host. How do I troubleshoot the issue?
You can perform the following operations to troubleshoot this issue:
Check whether the configurations of your bastion host are correct.
Run the ping command on your client to test whether the client can access your bastion host. If the client cannot access your bastion host, log on to the Bastionhost console and check whether the switch of the public endpoint is turned on.
On your client, run telnet commands to test connectivity on ports 60022, 63389, and 443. If a connection fails, check whether these ports are correctly configured for the bastion host. For more information, see Configure a bastion host.
Check whether the public IP address of your client is added to the whitelist. If you configure a whitelist, access is restricted to the IP addresses on the list. For more information, see Configure a bastion host.
Check whether Cloud Firewall is used. Check whether Cloud Firewall is used to protect your bastion host and whether access control policies are configured to block the access of your bastion host. For more information, see Configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost.
Check whether a firewall is enabled for your client. You can use another client to access your bastion host. If the client can access the bastion host, a firewall is enabled for your client.
Check whether your bastion host resides outside China. If your bastion host resides outside China, the access traffic that is destined for your bastion host may be blocked. We recommend that you connect your client and the bastion host using a VPN or a leased line.
To test the operational status of the bastion host, you can purchase an Elastic Compute Service (ECS) instance in the same region and then try to access the bastion host from the instance. For more information about ECS, see What is Elastic Compute Service (ECS)?.
I cannot use my client to access my bastion host using the private endpoint of the bastion host. How do I troubleshoot the issue?
Check whether the virtual private cloud (VPC) in which your client resides and the VPC in which your bastion host resides are connected using a VPN or a leased line.
If you have established a private network connection between the client and Bastionhost using a VPN or a leased line, you can access other servers in the same VPC as the Bastionhost to verify that the Bastionhost service is Normal.
If the VPCs are connected using a VPN or a leased line, Internet access is normal, but access over VPCs is slow, the value of the maximum transmission unit (MTU) for the VPN may be excessively large. Specify a smaller value and try again. If the access is slow, the hosts on which you can use your bastion host to perform O&M operations may not be displayed.
What is the maximum validity period of an O&M token?
The maximum validity period that you can configure for an O&M token is 8 hours. You can also allow O&M engineers to renew O&M tokens and the number of times to renew an O&M token. The maximum number of times to renew an O&M token is 20. Each renewal increases 1 hour of validity period. For more information about how to configure the validity period of O&M tokens and renew O&M tokens, see Configure O&M settings.
If you enable O&M review for databases, the validity period of an O&M token that is approved by a Bastionhost administrator takes effect. For more information about O&M approvals, see Review an O&M application.