This topic describes common faults of NAT gateways and provides solutions.
- Troubleshoot connection failures:
- Troubleshoot abnormal traffic: Exceptions such as connection timeouts and slow download speeds occur when a client accesses the Internet
An Elastic Compute Service (ECS) instance specified in a DNAT entry cannot be accessed over the Internet
The issue may arise due to one of the following causes:- The rules of the security group to which the ECS instance is added do not allow Internet
access to the private port specified in the DNAT entry.
Check whether the security group rules allow Internet access to the private port specified in the DNAT entry. If the security group rules do not allow Internet access to the private port specified in the DNAT entry, add a rule to allow Internet access to the private port. For more information, see Add security group rules.
You can run thetelnet <private IP address of the ECS instance> <private port>command on other ECS instances in the same virtual private cloud (VPC) to check whether the private port specified in the DNAT entry is accessible.- If the following message is returned, the private port is accessible.
Connected to <private IP address of the ECS instance> - If the following message is returned, the private port is inaccessible.
unable connect to remote host: Connection timed out
- If the following message is returned, the private port is accessible.
- The route table does not contain a custom route whose destination CIDR block is 0.0.0.0/0
and whose next hop is the NAT gateway.
The ECS instance specified in the DNAT entry requires a route that points to the NAT gateway to return a response. Check whether the system route table or custom route table contains a 0.0.0.0/0 route that points to the NAT gateway. If the route does not exist, add one. For more information, see Add routes to a route table.
ECS instances attached to a newly created vSwitch in a VPC cannot use SNAT to access the Internet
ECS instances attached to a newly created vSwitch in a VPC cannot use SNAT to access the Internet, but ECS instances attached to other vSwitches in the same VPC can use SNAT to access the Internet. The issue may arise due to one of the following causes:- Existing SNAT entries of the NAT gateway do not include the CIDR block of the newly
created vSwitch.
A NAT gateway does not automatically create an SNAT entry for a newly created vSwitch. You must check whether the CIDR block of the newly created vSwitch is included in the existing SNAT entries of the NAT gateway. If the CIDR block of the vSwitch is not included in existing SNAT entries, the ECS instances that are attached to the vSwitch cannot access the Internet. You must create an SNAT entry for the vSwitch. For more information, see Create and manage SNAT entries.
- The newly created vSwitch is associated with a custom route table, but the custom
route table does not contain a custom route whose destination CIDR block is 0.0.0.0/0
and whose next hop is the NAT gateway.
Check whether the custom route table contains such a route. If the route does not exist, add one. For more information, see Add routes to a route table.
ECS instances in a vSwitch cannot access the Internet when multiple NAT gateways exist in a VPC
The issue arises when the following conditions are met: Only the system route table is used in the VPC. The route table contains only one custom route whose destination CIDR block is 0.0.0.0/0 and whose next hop is one of the NAT gateways. The CIDR block of the vSwitch is not included in the SNAT entries of the NAT gateway that the preceding route points to.
- If you do not require multiple NAT gateways, we recommend that you delete the NAT gateways that are not needed and add SNAT entries to the remaining NAT gateways.
- If you require multiple NAT gateways, see Deploy multiple Internet NAT gateways in one VPC.
Exceptions such as connection timeouts and slow download speeds occur when a client accesses the Internet
Exceptions such as connection timeouts and slow download speeds occur when a client, such as an application on an ECS instance, accesses the Internet. You can troubleshoot the issue by using one of the following methods:
- If the monitoring data shows that exceptions occur occasionally and are not caused
by the following two reasons, you can enable the traffic monitoring feature to identify
the source of exceptions. This improves troubleshooting efficiency when multiple ECS
instances are used. For more information, see View traffic monitoring data collected by NAT gateways.
- If you use a pay-by-specification NAT gateway, check whether the number of concurrent connections, the rate of new connections, or other metrics exceed the upper limits of the specification. For more information, see View monitoring data. If connections are dropped because the upper limits are reached, we recommend that you upgrade the specification of your NAT gateway.
- View the monitoring data to check whether packets are dropped because the maximum bandwidth value of the EIP associated with your NAT gateway is exceeded. For more information, see View the monitoring data of EIPs that are associated with NAT gateways. If packets are dropped due to bandwidth limits, we recommend that you increase the maximum bandwidth value of the EIP.
- If multiple ECS instances that run Linux access a server that runs Linux by using the NAT gateway, TCP connection requests may be dropped by the Linux kernel, and this may lead to connection timeouts or failures. We recommend that you disable the Linux net.ipv4.tcp_tw_recycle option on the server or the Linux net.ipv4.tcp_timestamps option on the client.