All Products
Search

This Product

    Bastionhost:FAQ about connections between clients and bastion hosts

    Document Center

    Bastionhost:FAQ about connections between clients and bastion hosts

    Last Updated:Apr 07, 2024

    This topic provides answers to some frequently asked questions about connections between client tools and bastion hosts.

    I cannot use my client to access my bastion host by using the public endpoint of the bastion host. How do I troubleshoot the issue?

    You can perform the following operations to troubleshoot this issue:

    • Check whether the configurations of your bastion host are correct.

      • Run the ping command on your client to test whether the client can access your bastion host. If the client cannot access your bastion host, log on to the Bastionhost console and check whether the switch of the public endpoint is turned on.公网

      • Run the telnet command on your client to test whether the client can access your bastion host over ports 60022, 63389, and 443. If the client cannot access your bastion host, check whether the preceding ports are correctly configured for the bastion host. For more information, see Configure a port number.

      • Check whether the public IP address of your computer is added to the whitelist of your bastion host. If you configure the whitelist but you do not add the public IP address of your computer to the whitelist, the client on your computer cannot access your bastion host. For more information, see Configure a whitelist.

      For more information about how to configure a bastion host, see Configure a bastion host.

    • Check whether Cloud Firewall is used. Check whether Cloud Firewall is used to protect your bastion host and whether access control policies are configured to block the access of your bastion host. For more information, see Configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost.

    • Check whether a firewall is enabled for your client. You can use another client to access your bastion host. If the client can access the bastion host, a firewall is enabled for your client.

    • Check whether your bastion host resides outside China. If your bastion host resides outside China, the access traffic that is destined for your bastion host may be blocked. We recommend that you connect your client and the bastion host by using a VPN or a leased line.

      To test whether your bastion host can be accessed, purchase an Elastic Compute Service (ECS) instance in the same region as the bastion host and use the ECS instance to access the bastion host. For more information about ECS, see What is ECS?

    I cannot use my client to access my bastion host by using the private endpoint of the bastion host. How do I troubleshoot the issue?

    Check whether the virtual private cloud (VPC) in which your client resides and the VPC in which your bastion host resides are connected by using a VPN or a leased line.

    • If the VPCs are connected by using a VPN or a leased line, use your client to access another server that resides in the same VPC as the bastion host. If the server can be accessed, exceptions may occur on your bastion host.

    • If the VPCs are connected by using a VPN or a leased line, Internet access is normal, but access over VPCs is slow, the value of the maximum transmission unit (MTU) for the VPN may be excessively large. Specify a smaller value and try again. If the access is slow, the hosts on which you can use your bastion host to perform O&M operations may not be displayed.

    What do I do if I fail to access Bastionhost from a client by using a key pair?

    Note

    This issue occurs only on bastion hosts whose version is earlier than V3.2.38.

    Because a client that runs macOS Ventura 13.0.1 or later uses OpenSSH 8.7 or later, the ssh-rsa public key signature algorithm is disabled by default. As a result, you fail to access Bastionhost from the client by using a key pair. You can perform the following steps to configure the ssh_config configuration file to manually enable the ssh-rsa public key signature algorithm on your on-premises client:

    1. Open the ssh_config configuration file. 

      vim /etc/ssh/ssh_config

    2. Add the following configuration items to the ssh_config configuration file and save the file: 

      HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

    What is the maximum validity period of an O&M token?

    • The maximum validity period that you can configure for an O&M token is 8 hours. You can also allow O&M engineers to renew O&M tokens and the number of times to renew an O&M token. The maximum number of times to renew an O&M token is 20. Each renewal increases 1 hour of validity period. For more information about how to configure the validity period of O&M tokens and renew O&M tokens, see Configure O&M settings.

    • If you enable O&M review for databases, the validity period of an O&M token that is approved by a Bastionhost administrator takes effect. For more information about O&M approvals, see Review an O&M application.