What should I do if the Windows instance cannot access the external network?

Problem Description

In the ECS instance of the Windows system, the browser cannot be used to access the external network, as shown in the figure. problem phenomenon

Possible Causes

The cause of this problem is similar to the problem that the Windows instance fails to access the network through the outside world. For common problems, please refer to the following.

• Management and control of public network ISP operators.

• The abnormal behavior of the Windows instance caused Alibaba Cloud's security policy to prevent the Windows instance from accessing the external network.

• The Windows instance security group is incorrectly configured.

• Windows instance performance issues.

• Firewall policy restrictions on Windows instances.

• There are restrictions on the third-party antivirus software installed on Windows instances.

• Windows instances are affected by viruses and Trojan horses.

• There are bugs or compatibility issues in the TCP/IP protocol stack of Windows instances.

• After the routing and remote service is installed on the Windows instance, the configuration is incorrect.

• The routing table and network configuration of the Windows instance are incorrect.

Solution

You can troubleshoot and solve problems through comparative testing and using tools to capture network packets, as follows:

Note This article uses Windows Server 2019 Data Center Edition 64-bit Chinese version operating system as an example for testing.

Method 1: Comparative test and investigation

You can select the corresponding troubleshooting steps according to the actual situation.

Check the Windows instance status in the cloud security center to confirm that the Windows status is normal

1. In the Cloud Security Center, you can first check whether the instance is at risk on the Host Assets page of the Cloud Security Center.

2. You can click the target instance ID to enter the instance details page to view the vulnerability information, application vulnerability information, defense information, security settings, security alarm handling, etc. of the ECS instance, and then make the Windows instance status Back to normal. Cloud Security Center instance details page zh

3. Check whether the Windows instance is disconnected from the specific network segment where the website is located.

If only the Windows instance cannot communicate with the specific network segment where the website is located, it may be related to the operator's control. At this point, you can use the ping network segment command in the CMD command prompt to compare and test related multiple network segments. The operation steps are as follows:

Note The ping network segment command is only for specific network failures and is not suitable for troubleshooting all network faults.

a. Open a command prompt.

1) In the lower left corner of the desktop, click the search icon, and then enter cmd in the search box. Enter cmd

Click Command Prompt.

2) Enter the command prompt. open command prompt

b. In the command prompt, execute the ping network segment command to compare and test related network segments. Ping different network segments

In the command prompt, execute the ipconfig /all command to check whether the network card configuration is correct

1. Open a command prompt.

a. In the lower left corner of the desktop, click the search icon, and then enter cmd in the search box. Enter cmd

b. Click Command Prompt.

Enter the command prompt. open command prompt

2. Execute the ipconfig /all command to check the network card configuration information. Check network card configuration information

3. Enter ncpa.cpl on the desktop to open the network sharing and management center, and check whether the status of the network card is sending and receiving normally.

a. In the lower left corner of the desktop, click the search icon, enter ncpa.cpl in the search box, and click ncpa.cpl. open network sharing center

b. On the Network Connections page, double-click the target NIC.

Check whether the status of the network card is sending and receiving normally. If it is normal, it means that the network card is enabled normally. View network sending and receiving

In the command prompt, use the nslookup or ping command to check whether there is a DNS resolution problem

Check Windows instances for performance issues

Windows instances may have problems such as high CPU resource usage, memory exhaustion, full bandwidth usage, and network dynamic port exhaustion. You can check them in the following ways:

• Use tools for analysis. For details, see the introduction of Windows system memory analysis tools.

• Check the performance information of Windows instances through the ECS console or cloud monitoring console. For details, see Viewing Instance Monitoring Information.

Check whether the security group rules of the Windows instance are correct

You can check the security group rules of the Windows instance, if the configuration is wrong, you need to change the security group configuration to allow all network communication for testing.

• For details on how to view the security group rules of a Windows instance, see Viewing Individual Instance Information on the Instance Details Page.

• For details about adding or modifying security group rules, see Adding Security Group Rules or Modifying Security Group Rules.

Check whether the firewall policy configuration is correct

You can disable the firewall on the Windows instance first, and then test whether you can access normally. If you can access after the firewall is disabled, you need to check the firewall policy configuration, and the specific operations are as follows:

1. In the lower left corner of the desktop, select the Start icon > Server Manager. open server manager

2. On the Server Manager page, click Local Server in the left navigation bar.

3. In the Properties area, click Firewall Status to the right of Windows Defender Firewall. View firewall policies

4. On the Windows Security Center page, follow the interface to disable the firewall. turn off firewall

5. Revisit the website.

If you can access normally, you need to continue to check the firewall policy configuration.

Revisit the website after disabling or uninstalling the third-party antivirus software in the Windows instance

You can refer to the relevant documents of the third-party antivirus software to disable or uninstall the third-party antivirus software in the Windows instance, and then visit the website again.

Run the Windows Update program to install the latest version of the patch

This operation can eliminate the problem of the operating system TCP/IP protocol stack itself. The operation steps are as follows:

1. In the lower left corner of the desktop, click the search icon, enter update in the search box, and then click Check for Updates.

2. On the Windows update page, click Download to install the latest patch. Open updata update

3. Revisit the website.

Method 2: The tool captures network packets for analysis

Use a packet capture tool (such as Wireshark) on a Windows instance to capture data packets, and analyze whether there are DNS resolution, ARP resolution, or TCP connection failure problems in the network packets based on the packet capture results.