All Products
Search

This Product

    :Troubleshoot inaccessible ports on a pingable instance

    Document Center

    :Troubleshoot inaccessible ports on a pingable instance

    Last Updated:Nov 27, 2025

    Problem description

    When you try to connect to an Elastic Compute Service (ECS) instance on a specific port, the connection fails. The client reports a Connection timed out or Connection refused error.

    Causes

    • Blocked by network access control policies: Requests are silently dropped by a security group or the instance's internal firewall policy before reaching the application. The client receives no response, causing the Connection timed out error.

    • Target port not listening: The request reaches the instance's operating system, but no application is listening on the target port. The operating system rejects the request, causing the Connection refused error.

    Method 1: Use the self-service troubleshooting tool

    The Alibaba Cloud self-service troubleshooting tool helps you quickly check security group configurations, the instance's internal firewall, and the listening status of common application ports. The tool provides a clear diagnostic report.

    Click to go to self-service troubleshooting page, and switch to the target region.

    If the self-service troubleshooting tool cannot identify the issue, proceed with the following steps.

    Method 2: Manual troubleshooting

    Scenario 1: Connection timed out

    1. Check the security group rules. Ensure that an inbound rule allows access to the destination port and is not overridden by a higher-priority deny rule.

      1. Navigate to the ECS console - Instances page and click the ID of the destination instance to open its details page.

      2. On the instance details page, switch to the Security Groups tab and click the ID of the target security group to open its details page.

      3. On the Inbound Rules tab, review the list of rules.

        • Check deny rules: Ensure that no high-priority deny rules are blocking access.

        • Check allow rules: Confirm that an allow rule exists for the source IP address and destination port.

    2. Check the instance's internal firewall.

      Alibaba Cloud Linux

      1. Log on to the ECS instance.

        1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

        2. Go to the details page of the target instance. Click Connect and select Workbench. Follow the prompts on the page to log on to the terminal.

      2. Run the following command to view the open ports in the firewall.

        firewall-cmd --list-all

      3. If the destination port is not in the list, add a firewall rule. To permanently open a specific TCP port and allow external access, replace <PORT> with the actual port number.

        firewall-cmd --zone=public --add-port=<PORT>/tcp --permanent

      4. Run the following command to restart the firewall for the new rule to take effect.

        firewall-cmd --reload

      Ubuntu

      1. Log on to the ECS instance.

        1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

        2. Go to the details page of the target instance. Click Connect and select Workbench. Follow the prompts on the page to log on to the terminal.

      2. Run the following command to check the UFW status and configured rules.

        sudo ufw status

      3. If the destination port is not in the list, run the following command to add a firewall rule. Replace <PORT> with the destination port number.

        sudo ufw allow <PORT>/tcp

      4. Run the following command to restart the firewall for the new rule to take effect.

        sudo ufw reload

      Windows

      1. Log on to the ECS instance.

        1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

        2. Go to the details page of the target instance, click Connect, and select Workbench. Set the connection method to Terminal, enter the username and password, and then log on to the graphical terminal page.

      2. Open Windows Defender Firewall with Advanced Security.

        1. Enter Server Manager in the taskbar search box and open it.

        2. In the upper-right corner of Server Manager, choose Tools > Windows Defender Firewall with Advanced Security.

      3. Check and enable the required inbound rule.

        1. Check the firewall status. If the firewall is disabled, no further action is needed.

        2. If the firewall is enabled, click Inbound Rules in the left-side pane.

        3. Find Windows Remote Management - Compatibility Mode (HTTP-In) in the rule list.

        4. If this rule is not enabled, right-click it and select Enable Rule.

    3. Verify that the port is accessible. Run the command from a local client, not from the ECS instance itself.

      telnet <Public IP address> <Port number>

      If the output includes Connected to ..., the network and port are accessible.

    Scenario 2: Connection refused

    Linux

    1. Log on to the ECS instance.

      1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

      2. Go to the details page of the target instance. Click Connect and select Workbench. Follow the prompts on the page to log on to the terminal.

    2. Run the following command to check the port listening status. Replace <PORT> with the actual port number.

      netstat -an | grep <PORT>

    3. Analyze the results.

      • Listening: If the value in the State column is LISTEN, the port is listening normally.

        Important

        If the listening address is 127.0.0.1, the service accepts only local connections. Check the service configuration file, such as `nginx.conf` for Nginx or `sshd_config` for the Secure Shell Protocol (SSH) service, and change the listening address to `0.0.0.0` or the instance's public IP address to allow external connections.

      • Not listening: If no output is returned, or if the output does not contain the LISTEN state, the service has not started. You must start the service.

    Windows

    1. Log on to the ECS instance.

      1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

      2. Go to the details page of the target instance, click Connect, and select Workbench. Set the connection method to Terminal, enter the username and password, and then log on to the graphical terminal page.

    2. Use PowerShell to check the port.

      1. In the taskbar search box, type PowerShell and open it.

      2. Run the following command to check the port listening status. Replace <PORT> with the actual port number.

        netstat -ano | findstr "<PORT>"

      3. Analyze the results.

        • Listening: If the output contains the LISTEN state, the port is listening normally. If the listening address is 127.0.0.1, the service accepts only local connections. You must modify the service's configuration file to change the listening address from 127.0.0.1 to 0.0.0.0 or the instance's public IP address to allow external connections.

        • Not listening: If no output is returned, or if the output does not contain the LISTEN state, the service has not started. You must start the service.