This topic describes possible reasons and resolutions for failing to access a Server Load Balancer (SLB) instance from a client.

Note In this example, the frontend port of the SLB instance is 80, the port of the backend ECS instance is 80, and the internal IP address of the ECS instance is 10.11.192.1. You must configure the port and internal IP address according to your actual situation.
No. Cause Resolution
1 SLB cannot be accessed by backend servers. For a layer-4 SLB service, a backend ECS instance cannot directly provide services for clients and function as the backend server of the SLB service at the same time. None
2 Health check exceptions. For more information, see How do I troubleshoot health check exceptions of a layer-4 (TCP/UDP) listener? and How do I troubleshoot a health check exception of a layer-7 (HTTP/HTTPS) listener?.
3 Using FTP, TFTP, H.323, and SIP protocols through SLB is not supported.
  • For a Linux system, you can configure the forwarding of port 22 and use SFTP to connect and transmit data.
  • You can associate an Elastic IP Address (EIP) with an FTP server in the cut-through mode to provide external FTP service. For more information, see Deploy an FTP server by using an EIP.
4 The internal firewall of the server does not allow port 80. You can run the following command to temporarily disable the firewall to do a test.
  • For a Windows server, run:

    firewall.cpl

  • For a Linux server, run:

    /etc/init.d/iptables stop

5 Backend port exceptions.
  • For a layer-4 SLB service, you can perform a Telnet test. If you receive a response, the backend port is normal.

    Example: Use telnet 10.11.192.1 80 to perform a Telnet test.

  • For a layer-7 SLB service, you can check the HTTP status code returned. The status code must be a status code that indicates a normal condition, such as 200. The test methods are as follows:
    • Windows: Access the internal IP address of the ECS instance directly from the ECS instance to check if access is normal.

      Example: http://10.11.192.1

    • Linux: Run the curl -I command and check if the status is HTTP/1.1 200 OK.

      Example: curl -I 10.11.192.1

6 The rp_filter feature conflicts with the policy-based route of the LVS of SLB.
  1. Log on to the ECS instance that is added to the SLB instance. The ECS instance runs a Linux system.
  2. Edit the /etc/sysctl.conf file and set the following three parameters in the system configuration file to 0.
     net.ipv4.conf.default.rp_filter = 0
     net.ipv4.conf.all.rp_filter = 0
     net.ipv4.conf.eth0.rp_filter = 0
  3. Run the sysctl -p command to make the configurations take effect.
7 Listener exceptions.
Run the following command on the server. If you can see the monitoring information of 10.1.1.192.1: 80, or the monitoring information of 0.0.0.0: 80, the listening function of the ports is normal.
  • For a Windows server, run:

    netstat -ano | findstr :80

  • For a Linux server, run:

    netstat -anp | grep :80

8 No listener is added to the SLB instance. Configure a listener. For more information, see Listener overview.
9 SLB cannot be accessed through the domain name. This may be caused by an error in domain name resolution. None
10 Exceptions of the local network of the client or exceptions of the intermediate link of the service provider. Perform access tests on the service port of SLB in different regions and network environments.

If the exception only occurs when the SLB instance is accessed from the local network, it can be determined that the problem is caused by a network exception. Then you can do further troubleshooting and analysis through Ping tests or MTR route tracing.

11 The client IP address is blocked by Alibaba Cloud Security.
  1. Visit http://ip.taobao.com in the network environment of the client and obtain the public IP address of the client network.
  2. Add the IP address to the SLB whitelist to allow access from the IP address.
    Note This operation may pose security risks. Make sure that the IP address does not incur malicious attacks on SLB.
12 After you switch to Anti-DDoS Basic from Anti-DDoS Pro, the whitelist is not disabled. Disable the whitelist.
If the problem persists, open a ticket and submit the following details:
  • The ID of the SLB instance or the IP address of the SLB service.
  • The public IP address of the client obtained when you visit ip.taobao.com.
  • Screenshots of ping and MTR route tracing tests performed by the client by using the IP address of the SLB service.