All Products
Search
Document Center

:Troubleshoot inaccessible ports on a pingable instance

Last Updated:Jun 25, 2026

Problem description

When you connect to an ECS instance on a specific port, the connection fails with a Connection timed out or Connection refused error.

Causes

  • Blocked by network access control policies: A security group or the instance's internal firewall silently drops requests before they reach the application. The client receives no response, causing a Connection timed out error.

  • Target port not listening: The request reaches the instance's operating system, but no application listens on the target port. The OS rejects the request, causing a Connection refused error.

Use the Diagnostics tool

The self-service tool checks security group configurations, the instance's internal firewall, and port listening status, then generates a diagnostic report.

Click to open the Diagnostics page and select the target region.

If the tool cannot identify the issue, proceed with the following steps.

Troubleshoot manually

Connection timed out

  1. Check security group rules. Verify that an inbound rule allows access to the destination port and no higher-priority deny rule overrides it.

    1. Go to the ECS console - Instances page. Click the instance ID to open its details page.

    2. On the instance details page, click the Security Groups tab, then click the security group ID to open its details page.

    3. On the Inbound Rules tab, review the rules:

      • Check deny rules: Verify no high-priority deny rules block access.

      • Check allow rules: Confirm an allow rule exists for the source IP address and destination port.

  2. Check the instance's internal firewall:

    Alibaba Cloud Linux

    1. Log on to an ECS instance.

      1. Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target instance.

      2. Navigate to the details page of the target instance. Click Connect and select Workbench. Follow the on-screen prompts to access the terminal.

    2. View the open ports in the firewall:

      firewall-cmd --list-all
    3. If the destination port is not listed, add a firewall rule. Replace <PORT> with the actual port number:

      firewall-cmd --zone=public --add-port=<PORT>/tcp --permanent
    4. Restart the firewall to apply the new rule:

      firewall-cmd --reload

    Ubuntu

    1. Log on to an ECS instance.

      1. Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target instance.

      2. Navigate to the details page of the target instance. Click Connect and select Workbench. Follow the on-screen prompts to access the terminal.

    2. Check the UFW status and configured rules:

      sudo ufw status
    3. If the destination port is not listed, add a firewall rule. Replace <PORT> with the destination port number:

      sudo ufw allow <PORT>/tcp
    4. Restart the firewall to apply the new rule:

      sudo ufw reload

    Windows

    1. Log on to an ECS instance.

      1. Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target instance.

      2. Navigate to the details page of the target instance. Click Connect and select Workbench. Set the connection method to Terminal Connection, enter your username and password, and log on to the graphical terminal.

    2. Open Windows Defender Firewall with Advanced Security:

      1. Search for Server Manager in the taskbar and open it.

      2. In Server Manager, choose Tools > Windows Defender Firewall with Advanced Security.

    3. Check and enable the required inbound rule:

      1. Check the firewall status. If disabled, no further action is needed.

      2. If enabled, click Inbound Rules in the left-side pane.

      3. Find Windows Remote Management - Compatibility Mode (HTTP-In).

      4. If not enabled, right-click it and select Enable Rule.

  3. Verify port accessibility from a local client (not the ECS instance):

    telnet <Public IP address> <Port number>

    If the output includes Connected to ..., the port is accessible.

Connection refused

Linux

  1. Log on to an ECS instance.

    1. Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target instance.

    2. Navigate to the details page of the target instance. Click Connect and select Workbench. Follow the on-screen prompts to access the terminal.

  2. Check the port listening status. Replace <PORT> with the actual port number:

    netstat -an | grep <PORT>
  3. Analyze the results:

    • Listening: If the State column shows LISTEN, the port is listening normally.

      Important

      If the listening address is 127.0.0.1, the service accepts only local connections. Update the service configuration file (e.g., `nginx.conf` for Nginx or `sshd_config` for SSH) and change the listening address to `0.0.0.0` or the instance's public IP address.

    • Not listening: If no output is returned or the output lacks the LISTEN state, the service is not running. Start the service.

Windows

  1. Log on to an ECS instance.

    1. Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target instance.

    2. Navigate to the details page of the target instance. Click Connect and select Workbench. Set the connection method to Terminal Connection, enter your username and password, and log on to the graphical terminal.

  2. Check the port with PowerShell:

    1. Search for PowerShell in the taskbar and open it.

    2. Check the port listening status. Replace <PORT> with the actual port number:

      netstat -ano | findstr "<PORT>"
    3. Analyze the results:

      • Listening: If the output contains LISTEN, the port is listening normally. If the listening address is 127.0.0.1, the service accepts only local connections. Change the listening address from 127.0.0.1 to 0.0.0.0 or the instance's public IP address in the service configuration file.

      • Not listening: If no output is returned or the output lacks the LISTEN state, the service is not running. Start the service.