Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.
This article describes how to troubleshoot problems when the ping command is used but the port is disconnected.
Alibaba Cloud reminds you that:
- Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
- If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
- If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.
If your website is inaccessible, see unable to access websites running on ECS instances for detailed troubleshooting methods. When you access the target server on a client, if you can ping but the service port cannot be accessed, you can refer to the following methods for troubleshooting.
- Step 1: Add an instance security group
- Step 2: Port Related services
- Step 3: Check the firewall configuration of the target server
- Step 4: Use a detection tool to perform inspection
Step 1: Add an instance security group
- Log on to the ECS console.
- In the left-side navigation pane, click .
- In the top navigation bar, select a region.
- In instance list page in the ECS instance, and then click the instance ID to enter the instance details page.
- In the left-side navigation pane, click security groups, and click the security group ID to go to the security group rules page.
- On the security group rules page, click inbound and view access rules to check whether port-related authorization exists.
- If the corresponding port is not authorized, add the authorization for the port. For more information, see add security group rules.
- If you want to authorize the corresponding port, check whether the authorized object allows access from the local IP address.
Step 2: Port Related services
Run the following command to check whether the port is monitored:
- Linux how VNC remotely connect to the Linux instance, see via the VNC connect to log on to the Linux instance by using the.
- For more information about how to connect to a Windows instance through a VNC, see connect to a Windows instance through VNC.
netstat -ntpl|grep [$Port]
Note:[$Port] is the corresponding Port number.
The following command output is returned.
0.0.0.0represents an arbitrary address available on the local machine. For example,
0.0.0.0:135indicates port 135 of all addresses on the local machine.
tcp 0.0.0.0:80indicates that all available interfaces listen on TCP port 80.
- If the response is empty, the service corresponding to the port is not started. Start the service accordingly.
- If any command output is returned, the service is in the started state. If you confirm that the services can be restarted, restart the corresponding services. After the services are restarted, perform a connectivity test.
Step 3: Check the firewall configuration of the target server
Log on to the target server through VNC Remote connection and run the following command to check the firewall configuration.
If the response contains a rule for the corresponding port, delete the rule or disable the firewall and then test the port connectivity. You can disable the firewall as follows:
- Run the following command to view the firewall status:
systemctl status firewalld.service
- Run the following command to disable the firewall.
systemctl stop firewalld.service
- Run the following command to disable the firewall service upon startup:
systemctl disable firewalld.service
Disable the firewall and then test the port connectivity. The procedure is as follows:
- Connect to the target server through VNC Remote connection, and open control panel from the Windows Firewall.
- In the Windows Firewall window, click enable or disable firewall. The custom settings page appears.
- Set private network settings and public network settings to Windows Firewall off, and click OK.
Step 4: Use a detection tool to perform inspection
The port access failure may be caused by the Port interception on the node in the link. Use the tools for port availability detection to test whether the port is intercepted by any node. For more information about the port availability detection tool, see more information.
Port availability test steps
Typically, you can perform the following steps:
- Use the corresponding tools to test the availability of the target server and port according to the above.
- Check and analyze the probe results to confirm the root cause of the problem. If the port is blocked at a hop, data is not returned for subsequent hops. Based on this, abnormal nodes can be identified.
- If an exception exists, you can solve the problem in the following two ways.
- You can call this operation to query a website based on the corresponding IP address and network type, such as Taobao IP Address Library.
- You can also submit tickets to seek technical support from Alibaba Cloud.
Note: When you open a ticket, you must add the port availability detection result to the ticket.
Case Analysis of detection results
This section describes two detection result cases, including the detection results and analysis.
The detection results are as follows, the target Port has no data returned after the 3rd hop.
Tracing route to 115.X.X.27 on port 135
Over a maximum of 30 hops.
1 3 ms 3 ms 3 ms 1X.X.X.X
2 4 ms 3 ms 3 ms 2X.X.X.X
3 3 ms 3 ms 3 ms 3X.X.X.X
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
Because the node is an intranet IP address, this may be caused by related security policies of the local network. Contact the local network administrator for further troubleshooting and analysis.
The detection results are as follows, the target Port has no data returned after the 11th hop.
[root@mycentos ~]# traceroute -T -p 135 www.baidu.com
traceroute to www.baidu.com (220.127.116.11), 30 hops max, 60 byte packets
1 * * *
2 1X.X.X.X (1X.X.X.X) 4.115 ms 4.397 ms 4.679 ms
3 2X.X.X.X (2X.X.X.X) 901.921 ms 902.762 ms 902.338 ms
4 3X.X.X.X (3X.X.X.X) 2.187 ms 1.392 ms 2.266 ms
5 * * *
6 5X.X.X.X (5X.X.X.X) 1.688 ms 1.465 ms 1.475 ms
7 6X.X.X.X (6X.X.X.X) 27.729 ms 27.708 ms 27.636 ms
8 * * *
9 * * *
10 18.104.22.168 (22.214.171.124) 28.922 ms 126.96.36.199 (188.8.131.52) 29.030 ms 28.916 ms
11 184.108.40.206 (220.127.116.11) 29.169 ms 28.893 ms 18.104.22.168 (22.214.171.124) 30.986 ms
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
Because this node belongs to Beijing Mobile after query, you need to report the node to the operator or open a ticket for further investigation and analysis.
The tools used for port availability detection vary with the operating system. The port availability detection tools in the following systems are introduced here.
traceroute is a network testing tool pre-installed in almost all Linux releases. It is used to track the path that an Internet Protocol (IP) data packet passes to a target address. traceroute sends TCP data packets to the target Port to detect the connectivity of the corresponding port on the entire link from the data packet source to the target server. The tool is described as follows:
traceroute is a common command for port availability Detection. It is command format as follows:
traceroute [-n] -T -p [$Port] [$Host]
- -n: uses the IP address directly instead of the hostname (DNS lookup is disabled).
- -T: detects TCP.
- -p: sets the port number to be tested.
- [$Port]: the Port number to be tested, such as 80.
- [$Host]: indicates the IP address of the target ECS instance, such as
- For more information about how to use traceroute, see using the man command.
The example commands of traceroute and the returned results are as follows:
[root@centos~]# traceroute -n -T -p 22 126.96.36.199
traceroute to 188.8.131.52 (184.108.40.206), 30 hops max, 60 byte packets
1 5X.X.X.X 0.431 ms 0.538 ms 0.702 ms
2 1X.X.X.X 0.997 ms 1.030 ms 10.88.16.21 1.309 ms
3 5X.X.1X.2X 0.393 ms 0.390 ms 220.127.116.11 0.423 ms
4 6X.X.X.X 1.110 ms 18.104.22.168 0.440 ms 0.440 ms
5 6X.X.1X.X 1.744 ms 22.214.171.124 1.076 ms 1.232 ms
6 63.2X.1X.1X 1.832 ms 126.96.36.199 1.663 ms 188.8.131.52 1.616 ms
7 20X.97.1X.1X 2.776 ms 184.108.40.206 1.585 ms 1.606 ms
8 * * 220.127.116.11 2.537 ms
9 18.104.22.168 6.856 ms * *
10 * * *
11 * * *
12 * * 22.214.171.124 8.738 ms
13 126.96.36.199 8.248 ms 8.231 ms *
14 * 188.8.131.52 32.305 ms 184.108.40.206 29.877 ms
15 220.127.116.11 11.950 ms 18.104.22.168 23.853 ms 22.214.171.124 29.831 ms
16 126.96.36.199 11.007 ms 188.8.131.52 13.615 ms 184.108.40.206 11.956 ms
17 220.127.116.11 21.578 ms 18.104.22.168 13.236 ms *
18 * * 22.214.171.124 12.070 ms ! X
You can run the tracetcp command to test the port availability in Windows. tracetcp also sends TCP data packets for link detection to analyze whether there are intermediate nodes in the link that block the target port. The tool is described as follows:
Download and installation
- tracetcp depends on WinPcap library. Therefore, you must go to the official website to download the WinPcap library.
- Download the latest version of tracetcp from the official tracetcp website.
- Decompress the downloaded tracetcp file to the
Note: You can also decompress the package to a non-system directory, but you need to modify system environment variables to ensure that the extracted package can be called directly.
Double-click the tracetcp application to open it. Common uses of tracetcp are as follows:
- [$IP] indicates the IP address or domain name of the target server.
- [$Port] indicates the target Port to be tested.
- For more information, see
tracetcp -?Command to view help information.
The command and return result of tracetcp are as follows:
C:\ >tracetcp www.aliyun.com:80
Tracing route to 126.96.36.199 on port 80
Over a maximum of 30 hops.
1 3 ms 4 ms 3 ms 3X.X.X.X
2 13 ms 3 ms 4 ms 1X.X.X.X
3 3 ms 3 ms 2 ms 10.X.X.X
4 4 ms 3 ms 3 ms 4X.X.X.X
5 5 ms 4 ms 7 ms 5X.X.X.X
6 6 ms 5 ms 7 ms 6X.X.X.X
7 8 ms 8 ms 8 ms 188.8.131.52
8 10 ms 10 ms 8 ms 184.108.40.206
9 9 ms 9 ms 11 ms 220.127.116.11
10 * * * Request timed out.
11 Destination Reached in 8 ms. Connection established to 18.104.22.168
- Elastic Compute Service