This topic describes how to fix the issue that an error is reported when you connect the source or destination database instance to Data Transmission Service (DTS) over VPN.
Usage notes
If your database instance is connected to DTS by using VPN Gateway and you have questions about or requirements for VPN when you troubleshoot the issue, contact technical support for VPN Gateway. For more information about VPN Gateway, see What is VPN Gateway?
Procedure
Collect the information about the source or destination database instance in which the error is reported.
The following table describes the information to be collected about the database instance.
Parameter
Description
Instance Region
The region in which the self-managed database instance resides.
Connected VPC
The ID of the virtual private cloud (VPC) that is connected to the self-managed database instance.
IP Address
The private IP address of the self-managed database instance.
Port Number
The service port number of the self-managed database instance.
Obtain the CIDR blocks of DTS servers in the region in which the database instance resides.
Obtain the CIDR blocks of DTS servers based on the region and access method of the database instance. For more information, see Whitelist DTS IP ranges for your user-created database.
Check the security settings of the self-managed database instance.
Make sure that all CIDR blocks of DTS servers are added to the security settings of the self-managed database instance. This way, accesses from DTS servers are allowed. The security settings include but are not limited to the following items:
Security groups of the self-managed database instance
Firewalls of the self-managed database instance
Whitelists of the self-managed database instance
Check the routing of the VPC that is connected to the self-managed database instance.
Log on to the VPC console. In the left-side navigation pane, click Route Tables.
Select VPC ID from the drop-down list next to Create Route Table. Enter the value of the Connected VPC parameter to filter route tables.
Click the ID of the route table that you want to manage. On the Custom Route subtab of the Route Entry List tab, check the CIDR block of your data center in the Destination CIDR Block column.
If a self-managed VPN is used, the CIDR block of your data center must point the next hop of the traffic to the Elastic Compute Service (ECS) instance on which your self-managed VPN gateway is hosted. The ID of the ECS instance is displayed in the Next Hop column.
If a VPN gateway is used, the CIDR block of your data center must point the next hop of the traffic to the VPN gateway.
Check whether the IPsec tunnel of the VPN is correctly configured.
If a self-managed VPN is used, check the configurations of the IPsec tunnel and test the connection. If the connection still fails, you must capture packets at both ends of your VPN to check whether DTS traffic passes through your VPN. The source IP address of the DTS traffic is part of the DTS CIDR block.
If a VPN gateway is used, perform the following steps to check the configurations of the IPsec tunnel:
Log on to the VPC console.
In the left-side navigation pane, choose
.Find the IPsec-VPN connection that you want to view. Make sure that the Routing Mode parameter is set to Protected Data Flows.
Make sure that the obtained CIDR blocks of DTS servers are configured for the Local Network parameter.
Make sure that the CIDR block of your data center is configured for the Remote Network parameter.
Make sure that the updated VPN and routing configurations are configured for your on-premises gateway device.
NoteFor more information, see Connect a data center to DTS by using VPN Gateway.
Test the connection. If the connection still fails, you can contact technical support for VPN Gateway to capture packets at both ends of your VPN gateway and check whether DTS traffic passes through your VPN gateway. The source IP address of the DTS traffic is part of the DTS CIDR block.
Check the routing of the data center in which the self-managed database instance is deployed.
Check whether the responses of the database instances in the data center are sent over this IPsec-VPN connection. If the database instance resides in the cloud of another service provider, contact technical support for the cloud service for troubleshooting.
Check VPC route conflicts.
If the error persists after you perform the preceding troubleshooting operations, contact technical support for VPC to check whether the routes that point to DTS have conflicts.