🚀   Portable does more than just ELT. Explore Our AI Orchestration Capabilities 

Troubleshooting SSH Tunnel Connectivity

Sergio
CTO

When using an SSH tunnel to connect to your database, Portable first needs to reach your bastion host (jump server) over the network. If this step fails, you'll see an "SSH Tunnel Reach" or "SSH Tunnel Connectivity" error in the diagnostic checks.

What This Means

Portable cannot establish a TCP connection to your bastion host on the SSH port (usually 22). This is a network-level issue that occurs before any authentication is attempted.

Common Causes

1. Firewall Blocking SSH Port

The most common cause. Your bastion host's firewall (or a network firewall) is blocking incoming connections on port 22 from Portable's IP addresses.

Solution: Whitelist Portable's IP addresses in your firewall rules for port 22. You can find our current IP addresses in your Portable dashboard under Settings → IP Addresses.

2. Wrong Bastion Hostname

The hostname you provided for the bastion host may be incorrect or doesn't resolve.

Common mistakes:

  • Typos in the hostname
  • Using an internal/private hostname that doesn't resolve from the internet
  • Using the database hostname instead of the bastion hostname

3. Wrong SSH Port

SSH typically runs on port 22, but your bastion may use a non-standard port for security.

Check with your administrator:

  • Common alternative ports: 2222, 22022, 443
  • Specify the correct port in Portable's SSH settings

4. Bastion Host Is Down

The bastion server may be stopped, crashed, or undergoing maintenance.

5. SSH Service Not Running

The SSH daemon (sshd) may not be running on the bastion host.

6. Cloud Security Groups

If your bastion is on AWS, GCP, or Azure, security groups or network ACLs may be blocking access.

How to Diagnose

Test connectivity from your local machine

# Test TCP connectivity to SSH port
nc -zv bastion.example.com 22

# Or using telnet
telnet bastion.example.com 22

# Or test SSH connection directly
ssh -v [email protected]

If this works from your machine but Portable fails, the bastion allows your IP but not Portable's.

Check if the bastion is reachable from the internet

Use an online port checker:

Enter your bastion hostname and port 22.

Verify SSH is running on the bastion

SSH into the bastion from a machine that can access it, then:

# Check if sshd is running
sudo systemctl status sshd
# or
sudo service ssh status

# Check what port SSH is listening on
sudo netstat -tlnp | grep sshd
# or
sudo ss -tlnp | grep sshd

Check firewall rules on the bastion

# UFW (Ubuntu)
sudo ufw status

# iptables
sudo iptables -L -n | grep 22

# firewalld (CentOS/RHEL)
sudo firewall-cmd --list-all

Cloud-Specific Instructions

AWS EC2 Bastion

  1. Go to EC2 Console → Security Groups
  2. Find the security group attached to your bastion instance
  3. Edit Inbound Rules
  4. Add a rule:
    • Type: SSH
    • Port: 22
    • Source: Portable's IP addresses (or a custom CIDR range)

Also check Network ACLs if your bastion is in a VPC with custom ACL rules.

Google Compute Engine

  1. Go to VPC Network → Firewall
  2. Create or edit a firewall rule:
    • Direction: Ingress
    • Targets: Your bastion instance (by tag or service account)
    • Source IP ranges: Portable's IP addresses
    • Protocols and ports: tcp:22

Azure VM

  1. Go to Azure Portal → Your VM → Networking
  2. Under Inbound port rules, add a rule:
    • Destination port: 22
    • Source: Portable's IP addresses
    • Action: Allow

DigitalOcean Droplet

  1. If using DigitalOcean Cloud Firewalls:
    • Go to Networking → Firewalls
    • Edit your firewall
    • Add inbound rule for SSH (port 22) from Portable's IPs
  2. If using only the droplet's built-in firewall (ufw), configure it directly on the server

Setting Up a Bastion Host

If you don't have a bastion host yet, here's a quick setup:

Minimal Ubuntu Bastion

# Update and install essentials
sudo apt update && sudo apt upgrade -y

# SSH should be installed by default, verify it's running
sudo systemctl status ssh

# Configure firewall (allow SSH)
sudo ufw allow 22/tcp
sudo ufw enable

# Optionally, restrict to specific IPs only
sudo ufw delete allow 22/tcp
sudo ufw allow from <PORTABLE_IP_1> to any port 22
sudo ufw allow from <PORTABLE_IP_2> to any port 22

Hardening Tips

  • Use key-based authentication only (disable password auth)
  • Consider using a non-standard port
  • Install fail2ban to prevent brute-force attacks
  • Keep the system updated

Difference: SSH Tunnel Reach vs SSH Tunnel Auth

Portable performs two separate SSH checks:

CheckWhat It TestsCommon Failures
SSH Tunnel ReachCan we connect to bastion on port 22?Firewall, wrong hostname, server down
SSH Tunnel AuthCan we authenticate with credentials?Wrong username, bad key format, key not authorized

If "SSH Tunnel Reach" fails, the authentication check is skipped (can't authenticate if we can't connect).

Checklist

Before contacting support, verify:

  • Bastion hostname is correct and resolves from the internet
  • SSH port is correct (default 22, or custom port if configured)
  • Bastion server is running
  • SSH daemon (sshd) is running on the bastion
  • Firewall allows inbound connections on the SSH port
  • Portable's IP addresses are whitelisted in security groups (for cloud providers)
  • You can connect to the bastion from your local machine via SSH

Still Stuck?

If you can reach the bastion from other locations but Portable can't, contact support with:

  • Your bastion hostname and SSH port
  • Your cloud provider (if applicable)
  • The output of nc -zv <bastion> <port> from an external server
  • Relevant security group IDs or firewall rules
  • Your source/destination ID from Portable