:Troubleshooting for ping attempts to pass the server and Port disconnection

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

Introduction

This article describes how to troubleshoot problems when the ping command is used but the port is disconnected.

Background

Alibaba Cloud reminds you that:

• Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
• If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
• If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

If your website is inaccessible, see unable to access websites running on ECS instances for detailed troubleshooting methods. When you access the target server on a client, if you can ping but the service port cannot be accessed, you can refer to the following methods for troubleshooting.

• Step 1: Add an instance security group
• Step 2: Port Related services
• Step 3: Check the firewall configuration of the target server
• Step 4: Use a detection tool to perform inspection

Step 1: Add an instance security group

1. Log on to the ECS console.
2. In the left-side navigation pane, click instance image > Instance.
3. In the top navigation bar, select a region.
4. In instance list page in the ECS instance, and then click the instance ID to enter the instance details page.
5. In the left-side navigation pane, click security groups, and click the security group ID to go to the security group rules page.
6. On the security group rules page, click inbound and view access rules to check whether port-related authorization exists.
   • If the corresponding port is not authorized, add the authorization for the port. For more information, see add security group rules.
   • If you want to authorize the corresponding port, check whether the authorized object allows access from the local IP address.

Step 2: Port Related services

Run the following command to check whether the port is monitored:

Note:

• Linux how VNC remotely connect to the Linux instance, see via the VNC connect to log on to the Linux instance by using the.
• For more information about how to connect to a Windows instance through a VNC, see connect to a Windows instance through VNC.

netstat -ntpl|grep [$Port]

Note:[$Port] is the corresponding Port number.

The following command output is returned.

Note:

• 0.0.0.0 represents an arbitrary address available on the local machine. For example, 0.0.0.0:135 indicates port 135 of all addresses on the local machine.
• tcp 0.0.0.0:80 indicates that all available interfaces listen on TCP port 80.

• If the response is empty, the service corresponding to the port is not started. Start the service accordingly.
• If any command output is returned, the service is in the started state. If you confirm that the services can be restarted, restart the corresponding services. After the services are restarted, perform a connectivity test.

Step 3: Check the firewall configuration of the target server

Linux:

Log on to the target server through VNC Remote connection and run the following command to check the firewall configuration.

iptables -nL

If the response contains a rule for the corresponding port, delete the rule or disable the firewall and then test the port connectivity. You can disable the firewall as follows:

1. Run the following command to view the firewall status:

   systemctl status firewalld.service

2. Run the following command to disable the firewall.

   systemctl stop firewalld.service

3. Run the following command to disable the firewall service upon startup:

   systemctl disable firewalld.service

Windows:

Disable the firewall and then test the port connectivity. The procedure is as follows:

1. Connect to the target server through VNC Remote connection, and open control panel from the Windows Firewall.
2. In the Windows Firewall window, click enable or disable firewall. The custom settings page appears.
3. Set private network settings and public network settings to Windows Firewall off, and click OK.

Step 4: Use a detection tool to perform inspection

The port access failure may be caused by the Port interception on the node in the link. Use the tools for port availability detection to test whether the port is intercepted by any node. For more information about the port availability detection tool, see more information.

• Port availability test steps
• Case Analysis of detection results

Port availability test steps

Typically, you can perform the following steps:

1. Use the corresponding tools to test the availability of the target server and port according to the above.
2. Check and analyze the probe results to confirm the root cause of the problem. If the port is blocked at a hop, data is not returned for subsequent hops. Based on this, abnormal nodes can be identified.
3. If an exception exists, you can solve the problem in the following two ways.
   • You can call this operation to query a website based on the corresponding IP address and network type, such as Taobao IP Address Library.
   • You can also submit tickets to seek technical support from Alibaba Cloud.

     Note: When you open a ticket, you must add the port availability detection result to the ticket.

Case Analysis of detection results

This section describes two detection result cases, including the detection results and analysis.

Case 1

The detection results are as follows, the target Port has no data returned after the 3rd hop.

C:\>tracetcp www.aliyun.com:135
Tracing route to 115.X.X.27 on port 135
Over a maximum of 30 hops.
1       3 ms    3 ms    3 ms    1X.X.X.X
2       4 ms    3 ms    3 ms    2X.X.X.X
3       3 ms    3 ms    3 ms    3X.X.X.X
4       *       *       *       Request timed out.
5       *       *       *       Request timed out.
6       *       *       *       Request timed out.
7       *       *       *       Request timed out.
8       *       *       *       Request timed out.
9       *       *       *       Request timed out.
10      *       *       *       Request timed out.
11      *       *       *       Request timed out.
12      *       *       *       Request timed out.
Trace Complete.

Case analysis

Because the node is an intranet IP address, this may be caused by related security policies of the local network. Contact the local network administrator for further troubleshooting and analysis.

Case 2

The detection results are as follows, the target Port has no data returned after the 11th hop.

[root@mycentos ~]# traceroute -T -p 135 www.baidu.com
traceroute to www.baidu.com (111.13.100.92), 30 hops max, 60 byte packets
 1  * * *
 2  1X.X.X.X (1X.X.X.X)  4.115 ms  4.397 ms  4.679 ms
 3  2X.X.X.X (2X.X.X.X)  901.921 ms  902.762 ms  902.338 ms
 4  3X.X.X.X (3X.X.X.X)  2.187 ms  1.392 ms  2.266 ms
 5  * * *
 6  5X.X.X.X (5X.X.X.X)  1.688 ms  1.465 ms  1.475 ms
 7  6X.X.X.X (6X.X.X.X)  27.729 ms  27.708 ms  27.636 ms
 8  * * *
 9  * * *
10  111.13.98.249 (111.13.98.249)  28.922 ms 111.13.98.253 (111.13.98.253)  29.030 ms  28.916 ms
11  111.13.108.22 (111.13.108.22)  29.169 ms  28.893 ms 111.13.108.33 (111.13.108.33)  30.986 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *

Case analysis

Because this node belongs to Beijing Mobile after query, you need to report the node to the operator or open a ticket for further investigation and analysis.

References

The tools used for port availability detection vary with the operating system. The port availability detection tools in the following systems are introduced here.

• Linux:
• Windows:

Linux:

traceroute is a network testing tool pre-installed in almost all Linux releases. It is used to track the path that an Internet Protocol (IP) data packet passes to a target address. traceroute sends TCP data packets to the target Port to detect the connectivity of the corresponding port on the entire link from the data packet source to the target server. The tool is described as follows:

Procedure

traceroute is a common command for port availability Detection. It is command format as follows:

traceroute [-n] -T -p [$Port] [$Host]

Note:

• -n: uses the IP address directly instead of the hostname (DNS lookup is disabled).
• -T: detects TCP.
• -p: sets the port number to be tested.
• [$Port]: the Port number to be tested, such as 80.
• [$Host]: indicates the IP address of the target ECS instance, such as 10.10.1.1.
• For more information about how to use traceroute, see using the man command.

Sample code

The example commands of traceroute and the returned results are as follows:

[root@centos~]#  traceroute -n -T -p 22 223.5.5.5
traceroute to 223.5.5.5 (223.5.5.5), 30 hops max, 60 byte packets
 1  5X.X.X.X  0.431 ms  0.538 ms  0.702 ms
 2  1X.X.X.X  0.997 ms  1.030 ms 10.88.16.21  1.309 ms
 3  5X.X.1X.2X  0.393 ms  0.390 ms 58.96.160.250  0.423 ms
 4  6X.X.X.X  1.110 ms 202.123.74.122  0.440 ms  0.440 ms
 5  6X.X.1X.X  1.744 ms 63.218.56.237  1.076 ms  1.232 ms
 6  63.2X.1X.1X  1.832 ms 63.223.15.90  1.663 ms 63.223.15.74  1.616 ms
 7  20X.97.1X.1X  2.776 ms 63.223.15.154  1.585 ms  1.606 ms
 8  * * 202.97.122.113  2.537 ms
 9  202.97.61.237  6.856 ms * *
10  * * *
11  * * *
12  * * 119.147.220.222  8.738 ms
13  119.147.220.230  8.248 ms  8.231 ms *
14  * 42.120.242.230  32.305 ms 42.120.242.226  29.877 ms
15  42.120.242.234  11.950 ms 42.120.242.222  23.853 ms 42.120.242.218  29.831 ms
16  42.120.253.2  11.007 ms 42.120.242.234  13.615 ms 42.120.253.2  11.956 ms
17  42.120.253.14  21.578 ms 42.120.253.2  13.236 ms *
18  * * 223.5.5.5  12.070 ms ! X

Windows:

You can run the tracetcp command to test the port availability in Windows. tracetcp also sends TCP data packets for link detection to analyze whether there are intermediate nodes in the link that block the target port. The tool is described as follows:

Download and installation

1. tracetcp depends on WinPcap library. Therefore, you must go to the official website to download the WinPcap library.
2. Download the latest version of tracetcp from the official tracetcp website.
3. Decompress the downloaded tracetcp file to the C:\Windows directory.

   Note: You can also decompress the package to a non-system directory, but you need to modify system environment variables to ensure that the extracted package can be called directly.

Procedure

Double-click the tracetcp application to open it. Common uses of tracetcp are as follows:

tracetcp [$IP]:[$Port]

Note:

• [$IP] indicates the IP address or domain name of the target server.
• [$Port] indicates the target Port to be tested.
• For more information, see tracetcp -? Command to view help information.

Sample code

The command and return result of tracetcp are as follows:

C:\ >tracetcp www.aliyun.com:80
Tracing route to 140.205.63.8 on port 80
Over a maximum of 30 hops.
1       3 ms    4 ms    3 ms    3X.X.X.X
2       13 ms   3 ms    4 ms    1X.X.X.X
3       3 ms    3 ms    2 ms    10.X.X.X
4       4 ms    3 ms    3 ms    4X.X.X.X
5       5 ms    4 ms    7 ms    5X.X.X.X
6       6 ms    5 ms    7 ms    6X.X.X.X
7       8 ms    8 ms    8 ms    42.120.247.97
8       10 ms   10 ms   8 ms    123.56.34.246
9       9 ms    9 ms    11 ms   42.120.243.117
10      *       *       *       Request timed out.
11      Destination Reached in 8 ms. Connection established to 140.205.63.8
Trace Complete.

Application scope

• Elastic Compute Service