All Products
Search

This Product

    Data Transmission Service:What do I do if an error is reported when I connect a database instance to DTS over VPN?

    Document Center

    Data Transmission Service:What do I do if an error is reported when I connect a database instance to DTS over VPN?

    Last Updated:Apr 18, 2024

    This topic describes how to fix the issue that an error is reported when you connect the source or destination database instance to Data Transmission Service (DTS) over VPN.

    Usage notes

    If your database instance is connected to DTS by using VPN Gateway and you have questions about or requirements for VPN when you troubleshoot the issue, contact technical support for VPN Gateway. For more information about VPN Gateway, see What is VPN Gateway?

    Procedure

    1. Collect the information about the source or destination database instance in which the error is reported.

      The following table describes the information to be collected about the database instance.

      Parameter

      Description

      Instance Region

      The region in which the self-managed database instance resides.

      Connected VPC

      The ID of the virtual private cloud (VPC) that is connected to the self-managed database instance.

      IP Address

      The private IP address of the self-managed database instance.

      Port Number

      The service port number of the self-managed database instance.

    2. Obtain the CIDR blocks of DTS servers in the region in which the database instance resides.

      Obtain the CIDR blocks of DTS servers based on the region and access method of the database instance. For more information, see Whitelist DTS IP ranges for your user-created database.

    3. Check the security settings of the self-managed database instance.

      Make sure that all CIDR blocks of DTS servers are added to the security settings of the self-managed database instance. This way, accesses from DTS servers are allowed. The security settings include but are not limited to the following items:

      • Security groups of the self-managed database instance

      • Firewalls of the self-managed database instance

      • Whitelists of the self-managed database instance

    4. Check the routing of the VPC that is connected to the self-managed database instance.

      1. Log on to the VPC console. In the left-side navigation pane, click Route Tables.

      2. Select VPC ID from the drop-down list next to Create Route Table. Enter the value of the Connected VPC parameter to filter route tables.路由表

      3. Click the ID of the route table that you want to manage. On the Custom Route subtab of the Route Entry List tab, check the CIDR block of your data center in the Destination CIDR Block column.路由条目列表

        • If a self-managed VPN is used, the CIDR block of your data center must point the next hop of the traffic to the Elastic Compute Service (ECS) instance on which your self-managed VPN gateway is hosted. The ID of the ECS instance is displayed in the Next Hop column.

        • If a VPN gateway is used, the CIDR block of your data center must point the next hop of the traffic to the VPN gateway.

    5. Check whether the IPsec tunnel of the VPN is correctly configured.

      • If a self-managed VPN is used, check the configurations of the IPsec tunnel and test the connection. If the connection still fails, you must capture packets at both ends of your VPN to check whether DTS traffic passes through your VPN. The source IP address of the DTS traffic is part of the DTS CIDR block.

      • If a VPN gateway is used, perform the following steps to check the configurations of the IPsec tunnel:

        1. Log on to the VPC console.

        2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

        3. Find the IPsec-VPN connection that you want to view. Make sure that the Routing Mode parameter is set to Protected Data Flows.

        4. Make sure that the obtained CIDR blocks of DTS servers are configured for the Local Network parameter.

        5. Make sure that the CIDR block of your data center is configured for the Remote Network parameter.

        6. Make sure that the updated VPN and routing configurations are configured for your on-premises gateway device.

          Note

          For more information, see Connect a data center to DTS by using VPN Gateway.

        7. Test the connection. If the connection still fails, you can contact technical support for VPN Gateway to capture packets at both ends of your VPN gateway and check whether DTS traffic passes through your VPN gateway. The source IP address of the DTS traffic is part of the DTS CIDR block.

    6. Check the routing of the data center in which the self-managed database instance is deployed.

      Check whether the responses of the database instances in the data center are sent over this IPsec-VPN connection. If the database instance resides in the cloud of another service provider, contact technical support for the cloud service for troubleshooting.

    7. Check VPC route conflicts.

      If the error persists after you perform the preceding troubleshooting operations, contact technical support for VPC to check whether the routes that point to DTS have conflicts.