This topic describes how to fix the issue that an error is reported when you connect a source or destination database instance to Data Transmission Service (DTS) over VPN.

Usage notes

If your database instance is connected to DTS by using VPN Gateway and you have questions about or requirements for VPN when you troubleshoot the issue, contact technical support for VPN Gateway. For more information about VPN Gateway, see What is VPN Gateway?

Procedure

  1. Collect the information about the source or destination database instance in which the error is reported.

    The following table describes the information to be collected about the database instance.

    ParameterDescription
    Instance RegionThe region in which the self-managed database instance resides.
    Connected VPCThe ID of the virtual private cloud (VPC) that is connected to the self-managed database instance.
    IP AddressThe private IP address of the self-managed database instance.
    Port NumberThe service port number of the self-managed database instance.
  2. Obtain the CIDR blocks of DTS servers in the region in which the database instance resides.
    In the CIDR blocks to add when an on-premises database is connected to Alibaba Cloud over CEN, Express Connect, VPN Gateway, Smart Access Gateway, or Database Gateway column of the table in the Whitelist DTS IP ranges for your user-created database topic, you can obtain the CIDR blocks of DTS servers based on the region in which the database instance resides.
  3. Check the security settings of the self-managed database instance.
    Make sure that all CIDR blocks of DTS servers are added to the security settings of the self-managed database instance. This way, accesses from DTS servers are allowed. The security settings include but are not limited to the following items:
    • Security groups of self-managed database instances
    • Firewalls of self-managed database instances
    • Whitelists of self-managed database instances
  4. Check whether the cloud routing is complete.
    1. Log on to the VPC console. In the left-side navigation pane, click Route Tables.
    2. Select VPC ID from the drop-down list next to Create Route Table. Enter the value of the Connected VPC parameter to filter route tables. Route Tables
    3. Click the ID of the route table that you want to manage. On the Custom Route subtab of the Route Entry List tab, check the CIDR block of your data center in the Destination CIDR Block column. Route Entry List
      • If a self-managed VPN is used, the CIDR block of your data center must point the next hop of the traffic to the ECS instance on which your self-managed VPN gateway is hosted. The ID of the ECS instance is displayed in the Next Hop column.
      • If a VPN gateway is used, the CIDR block of your data center must point the next hop of the traffic to the VPN gateway.
  5. Check whether the IPsec tunnel of the VPN is correctly configured.
    • If a self-managed VPN is used, check the configurations of the IPsec tunnel and test the connection. If the connection still fails, you must capture packets at both ends of your VPN to check whether DTS traffic passes through your VPN. The source IP address of the DTS traffic is part of the DTS CIDR block.
    • If VPN Gateway is used, perform the following steps to check the configurations of the IPsec tunnel:
      1. Log on to the VPC console.
      2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
      3. Make sure that Routing Mode is set to Protected Data Flows. IPsec
      4. Find the IPsec-VPN connection that you want to view. Make sure that the obtained CIDR blocks of DTS servers are configured for the Local Network parameter.
      5. Make sure that the CIDR block of your data center is configured for the Remote Network parameter.
      6. Make sure that ikev2 is selected from the Version drop-down list in the IKE Configurations section.
      7. Test the connection. If the connection still fails, you can contact technical support for VPN Gateway to capture packets at both ends of your VPN gateway and check whether DTS traffic passes through your VPN gateway. The source IP address of the DTS traffic is part of the DTS CIDR block.
  6. Check whether the routing is correctly configured.

    Check whether to send the responses of the database instances in the data center over this IPsec-VPN connection. If the database instance resides in the cloud of another service provider, contact technical support for the cloud service for troubleshooting.

  7. Check VPC route conflicts.

    If the error persists after you perform the preceding troubleshooting operations, contact technical support for VPC to check whether the routes that point to DTS have conflicts.