Help Center/ Log Tank Service/ FAQs/ Log Transfer/ What Do I Do If Log Transfer to DMS Fails?
Updated on 2025-12-23 GMT+08:00
View PDF
Share

What Do I Do If Log Transfer to DMS Fails?

If a log transfer to DMS task fails after being configured on the Log Transfer page of the LTS console, follow these steps to locate and resolve the fault.

Troubleshooting

  1. Check whether the ports are enabled in the security group.

    Before registering a DMS Kafka instance, you must enable network segment 198.19.128.0/17 and port 9011 in the security group. If the DMS subnet is associated with a network ACL, you also need to configure an inbound rule to allow access via TCP from source IP address 198.19.128.0/17 with port range 1–65535 to all destination IP addresses with port 9011.

  2. Check whether the Kafka protocol is correctly configured.

    When creating a Kafka instance, set the instance access mode as follows: Enable ciphertext access for private network access, set the kafka security protocol to SASL_SSL, set the username and password, and enable SASL/PLAIN.

  3. Check whether the VPC endpoint service quota is exceeded.

    1. On the console, choose Resources > My Quotas.
      Figure 1 My quotas
    2. On the Quotas page, search for VPC Endpoint Service and check whether its quota is exceeded. If it is exceeded, click Increase Quota in the upper right corner.
    3. On the Create Service Ticket page, set the parameters.

      In the Problem Description area, enter the required quota and the reason for the quota adjustment.

    4. Select I have read and agree to the Ticket Service Protocol and Privacy Statement and click Submit.

  4. Check whether the VPC endpoint service's port is occupied.

    Go to the Kafka instance and locate the advanced settings. If the listeners IP address is the same as the advertised.listeners IP address/domain name and both use port 9011, the VPC endpoint service port is occupied. To resolve this, release the port or purchase a new Kafka instance.

    To release the occupied port:

    1. Locate and record the port ID in the Kafka instance's advanced settings.
    2. Provide this port ID to VPCEP technical support.
    3. Obtain the ID of the corresponding VPC endpoint service from VPCEP technical support.
    4. In the VPC Endpoint Services list, locate the obtained VPC endpoint service ID and click the corresponding VPC endpoint service name. On the displayed page, click the Connection Management tab and reject the connection. Return to the VPC Endpoint Services list and delete the VPC endpoint service.

  5. Check whether you have the necessary VPCEP permissions. For more operations, see Using IAM Roles or Policies to Grant Access to VPC Endpoint.

    The required permissions are:

    • vpcep:endpoints:create
    • vpcep:endpoints:get
    • vpcep:endpointServices:create
    • vpcep:endpointServices:get
    • vpcep:endpointServices:createPermissions
    • vpcep:endpointServices:list
    • vpcep:endpoints:list
    • vpcep:endpointServices:updatePermissions

  6. Check whether your account is an organization member account.

    If so, check whether the Organizations Service Control Policy (SCP) denies the following VPCEP permissions. If yes, cancel the denial.

    • vpcep:endpoints:create
    • vpcep:endpoints:get
    • vpcep:endpointServices:create
    • vpcep:endpointServices:get
    • vpcep:endpointServices:createPermissions
    • vpcep:endpointServices:list
    • vpcep:endpoints:list
    • vpcep:endpointServices:updatePermissions

Parent topic: Log Transfer