Common questions about connections between client tools and Bastionhost.
Client can't reach the bastion host over the public endpoint
Work through these checks in order. Stop when you find the cause.
1. Confirm the public endpoint is enabled
Run ping from your client to test basic reachability. If ping fails, log in to the Bastionhost console and verify that the public endpoint switch is turned on.
2. Test port connectivity
Run telnet to test ports 60022, 63389, and 443. If any port fails, verify that these ports are correctly configured for the bastion host. For details, see Configure a bastion host.
3. Check the whitelist
If a whitelist is configured on the bastion host, only IP addresses on the list can connect. Confirm that your client's public IP address is included. For details, see Configure a bastion host.
4. Check Cloud Firewall policies
If Cloud Firewall is protecting the bastion host, access control policies may be blocking traffic. Review and adjust the policies as needed. For details, see Configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost.
5. Check the client-side firewall
Try connecting from a different client. If the second client connects successfully, a firewall on the original client is blocking the traffic.
6. Check whether the bastion host is outside China
If the bastion host is deployed outside China, cross-border traffic may be blocked. Connect the client and bastion host through a VPN or leased line.
To isolate whether the issue is with the bastion host itself, launch an Elastic Compute Service (ECS) instance in the same region and test the connection from that instance. For more information, see What is Elastic Compute Service (ECS)?.
Client can't reach the bastion host over the private endpoint
The most common cause is that the virtual private cloud (VPC) where the client resides and the VPC where the bastion host resides are not connected.
If the VPCs are connected via VPN or leased line but connectivity is slow, the maximum transmission unit (MTU) value for the VPN may be too large. Reduce the MTU value and retry. Excessive latency can also prevent the list of hosts available for O&M from loading.
To verify that the Bastionhost service itself is running normally, try to access other servers in the same VPC as the bastion host. If those servers are reachable but the bastion host is not, investigate the network path between the two VPCs.
Maximum validity period of an O&M token
The maximum validity period is 8 hours. O&M engineers can also renew tokens up to 20 times, with each renewal adding 1 hour.
To configure the validity period and renewal settings, see Configure O&M settings.
If O&M review is enabled for databases, the validity period set by the approving Bastionhost administrator takes effect instead. For details about the approval workflow, see Review an O&M application.