All Products
Search
Document Center

:What do I do if I cannot ping the public IP address of an ECS instance?

Last Updated:Feb 06, 2024

You may fail to ping Elastic Compute Service (ECS) instances for a variety of reasons. This topic describes how to troubleshoot the issue.

Problem description

You cannot ping the public IP address of an ECS instance from an on-premises client. Examples:

  • You use an on-premises Linux client to ping the public IP address of an ECS instance, and no response is returned, as shown in the following figure.

    2023-05-28_16-53-11..png

  • You use an on-premises Windows client to ping the public IP address of an ECS instance, and the Request timed out error is returned, as shown in the following figure.

    2023-05-28_16-52-16..png

Causes

Provided that your network connectivity is good and you can access or ping other websites, you may fail to ping the public IP address of the ECS instance for the causes that are described in the following table.

Cause

Solution

The ECS instance is not in the Running state.

Check the status of the ECS instance.

The security groups of the ECS instance do not contain rules that allow access from the client.

Check the security group rules of the ECS instance.

The firewall settings of the ECS instance do not allow access from the client.

Check the firewall settings of the ECS instance.

The CPU utilization or bandwidth utilization of the ECS instance is high.

Check the CPU utilization or bandwidth utilization of the ECS instance.

Blackhole filtering is triggered for the ECS instance.

Check whether blackhole filtering is triggered for the ECS instance.

The ECS instance is intruded.

Check whether security alerts are generated in Security Center for the instance.

The ECS instance is deployed in the China (Hong Kong) region or a region outside China.

Check whether the ECS instance is deployed in the China (Hong Kong) region or a region outside China.

The ECS instance is unreachable from the client.

Check whether the ECS instance is unreachable from only the client.

The domain name is not Internet Content Provider (ICP) filed or cannot be resolved.

Check whether the domain name is ICP filed and the resolution settings of the domain name.

Check the status of the ECS instance

An instance can provide external services only if the instance is in the Running state. Perform the following operations to check the status of the ECS instance:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select the region in which the instance resides.

  4. On the Instances page, find the instance and check the status of the instance.

Check the security group rules of the ECS instance

By default, the security groups of an ECS instance contain a rule that allows Internet Control Message Protocol (ICMP) traffic to the instance. If the rule is deleted, the instance cannot be pinged. Perform the following operations to check the security group rules of the ECS instance:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. On the Instances page, find the instance and click the instance ID.

  5. On the Instance Details page, click the Security Group tab.

  6. On the Security Groups tab, find a security group and click the security group ID.

  7. On the Security Group Rules page, check whether an inbound rule that allows ICMP traffic exists.

    ICMP协议..png

    • If no inbound rules that allow ICMP traffic exist, add such a rule. For more information, see Add a security group rule.

      Set Authorization policy to Allow, Protocol Type to All ICMP (IPv4), and Port Range to -1/1. Use the default Priority value and specify specific IP addresses in the Authorization Object field.

    • If a rule that allows ICMP traffic exists, proceed to the operations that are described in the Check the firewall settings of the ECS instance section of this topic.

Check the firewall settings of the ECS instance

Check the firewall settings of the ECS instance based on the operating system of the instance.

Check the kernel parameter and firewall settings of the Linux ECS instance

To ping a Linux ECS instance, the instance must have the icmp_echo_ignore_all kernel parameter set to 0 and firewall settings that allow ICMP traffic.

Check the kernel parameter of the Linux ECS instance

  1. Connect to the ECS instance by using Virtual Network Computing (VNC).

    For more information, see Connect to an instance by using VNC.

  2. Run the following command to check the value of the icmp_echo_ignore_all kernel parameter:

    cat /proc/sys/net/ipv4/icmp_echo_ignore_all
    • If a value of 0 is returned, all ICMP traffic is allowed on the instance. Proceed to the operations that are described in the Check the firewall settings of the Linux ECS instance section of this topic.

    • If a value of 1 is returned, all ICMP traffic is denied on the instance. Proceed to Step 3.

  3. Run one of the following commands to set icmp_echo_ignore_all to 0 to allow all ICMP traffic on the instance:

    1. Run the following command to temporarily allow all ICMP traffic on the instance:

      echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all
    2. Run the following command to permanently allow all ICMP traffic on the instance:

      echo net.ipv4.icmp_echo_ignore_all=0 >> /etc/sysctl.conf
      sysctl -p

Check the firewall settings of the Linux ECS instance

  1. Connect to the ECS instance by using VNC.

    For more information, see Connect to an instance by using VNC.

  2. Run the following command to check the firewall settings of the instance:

    iptables -L
    • If the following command output is returned, ICMP traffic is allowed on the instance. Proceed to the operations that are described in the Check the CPU utilization or bandwidth utilization of the ECS instance section of this topic.

      Chain INPUT (policy ACCEPT)
      target     prot opt source               destination         
      ACCEPT     icmp --  anywhere             anywhere             icmp echo-request        
      Chain OUTPUT (policy ACCEPT)
      target     prot opt source               destination  
      ACCEPT     icmp --  anywhere             anywhere             icmp echo-reque
    • If ICMP traffic is denied on the instance, run the following command to allow ICMP traffic:

      #Chain INPUT
      iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
      #Chain OUTPUT
      iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Check the firewall settings of the Windows ECS instance

In this example, the ECS instance that runs Windows Server 2012 is used. Operations for instances that run other Windows Server versions are similar.

  1. Connect to the ECS instance by using VNC.

    For more information, see Connect to an instance by using VNC.

  2. Click the 服务器管理..png icon to open Server Manager.

  3. In the upper-right corner, choose Tools > Windows Defender Firewall with Advanced Security.

    2023-05-28_20-21-16..png

  4. On the Windows Defender Firewall with Advanced Security page, check whether ICMP traffic is denied in the Inbound Rules and Outbound Rules sections.

Check the CPU utilization or bandwidth utilization of the ECS instance

Check the external resource usage of the instance. For example, check whether the public bandwidth utilization of the instance reaches 100%.

  • If the instance is a burstable instance that runs in standard mode, the instance cannot be pinged or packets may be lost during the pinging process when the CPU utilization of the instance reaches 100%. For more information, see Overview.

  • If the EIP or public IP address resources of the instance are occupied, the ping request to the instance may be dropped due to throttling. As a result, the instance cannot be pinged.

Check whether blackhole filtering is triggered for the ECS instance

Check whether you received a blackhole filtering notification for the instance. During blackhole filtering, the instance cannot be connected or pinged.

For more information, see Blackhole filtering policy of Alibaba Cloud.

Check whether security alerts are generated in Security Center for the instance

Check whether security alerts are generated in Security Center for the instance. Intrusions can also cause ping failures. For more information, see What is Security Center?

Check whether the ECS instance is deployed in the China (Hong Kong) region or a region outside China

If you use an ECS instance that is deployed in the Chinese mainland to access an ECS instance that is deployed in the China (Hong Kong) region or a region outside China, the quality of the link may be affected by Internet service provider (ISP) lines. We recommend that you try again later.

Check whether the ECS instance is unreachable from only the client

If you cannot ping the ECS instance from the client but can ping the instance from other clients, we recommend that you test the connectivity between the instance and the client. For more information, see Test network paths when packet loss or connection failures occur after the ping command is run.

Check whether the domain name is ICP filed and the resolution settings of the domain name

If the public IP address of the ECS instance can be pinged but the domain name cannot, the domain name may not have an ICP filing or cannot be resolved.

Domain names that are resolved to the IP addresses of servers deployed in the Chinese mainland must be ICP filed with the Ministry of Industry and Information Technology (MIIT) before the domain names can be accessed. If the domain name of a website does not have an ICP filing, the website cannot provide external services. If Alibaba Cloud detects that a website provides external services without an ICP filing, Alibaba Cloud blocks the website.

References