All Products
Search

This Product

    :Troubleshooting for ping failure between ECS instances

    Document Center

    :Troubleshooting for ping failure between ECS instances

    Last Updated:Nov 26, 2020

    Overview

    This article describes how to troubleshoot ping failure between ECS instances in VPCs.

    Detail

    The following describes the troubleshooting steps for ping failure between ECS instances in a VPC:

    1. Confirm source and destination address and instance ID
    2. Check the configuration of routing at the VPC layer
    3. Check security policy configurations
    4. Check ECS configuration

    Step 1: confirm the source and destination address, source and destination instance IDs

    You can call this operation to obtain the IDs and IP addresses of the source and destination ECS instances.

    Step 2: Check the routing configurations at the VPC layer

    Check the route-Related configurations at the VPC level for different VPC scenarios or for cross-VPC scenarios. The specific content is as follows:

    • Similar to the VPC scenario: Generally, there is no routing problem, so the hidden danger in this scenario can be ignored.
    • Cross-VPC scenario: it is divided into two scenarios: Cloud Enterprise Network and peering connection.
      • In Cloud Enterprise Network communication scenarios, check whether the VPC route tables conflict with each other and whether the vSwitch routes are not published to the Cloud Enterprise Network.
      • In the peering scenario, check whether the VPC route entry is correctly configured and the correct vRouter interface is pointed to the VPC.

    Step 3: Check the security policy configurations

    Check security policy configurations can be divided into VPC scenarios and cross-VPC scenarios. The specific content is as follows:

    • Similar to VPC scenarios: check the following two factors:
      • ECS instances must share the same security group with each other or pass different IP addresses to each other. Mutual authorization must be implemented through security groups. By default, the outbound traffic of an advanced security group is set to deny.
      • Make sure that the CIDR block or IP address of the network ACL has been configured to allow both inbound and outbound traffic of the two parties.
    • Cross-VPC scenarios: you must check the following three points:
      • You must add the IP addresses or CIDR blocks of ECS instances in a security group. By default, the outbound traffic is deny in the advanced security group.
      • If you use a network ACL, the CIDR block or IP address of each other must be allowed to access the network ACL.
      • If you use a Cloud Firewall-VPC firewall, you must pay attention to access control.

    Step 4: Check the configuration of the ECS instance

    1. Perform the following troubleshooting operations on different operating systems:
      • Linux, check whether iptables drop policies exist in ECS.
      • Check whether ICMP echo is allowed in Windows.
    2. Check whether the system has been installed with third-party VPN software and security software to remove traffic or impose restrictions on ICMP.
    3. Check whether self-built Docker is used to divert the remote route to the container in the system.

    Application scope

    • Virtual Private Cloud