There are many reasons why you cannot ping the ECS instance. You can refer to the article edited by Jiuhe Cloud to troubleshoot.
Problem
The local client cannot ping the public IP of the target ECS instance, for example:
-
The local client is a Linux system, and there is no response when pinging the public IP of the target ECS instance, as shown below:
-
The local client is a Windows system. When pinging the public IP of the target ECS instance, a request timeout error is displayed, as shown below:
Check ECS instance status
Only when the ECS instance status is Running, external business access can be provided. The inspection steps are as follows:
-
Log in to the ECS management console.
-
In the left navigation bar, select Instances and Images> Examples.
-
In the upper left corner of the top menu bar, select Region.
-
On the instance list page, check the status of the target instance.
-
The target instance is not in the Running status. Please select the corresponding solution based on the instance status. For more information, see Instance Lifecycle.
-
The target instance is in the Running status. Please check the ECS instance security group rules.
-
Check ECS instance security group rules
The security group of an ECS instance contains a rule for opening the ICMP protocol by default, which allows the ECS instance to be pinged. If this rule is deleted, the ECS instance cannot be pinged. You can troubleshoot by following these steps:
-
Log in to the ECS management console.
-
In the left navigation bar, select Instances and Mirrors > Instances.
-
At the top left side of the page, select the region where the target resource is located.
-
On the ECS instance list page, click the target ECS instance ID.
-
On the ECS instance details page, click the Security Group tab.
-
Under the Security Group List tab, click the security group ID.
-
On the security group rules page, check whether there are security group rules for the ICMP protocol in the inbound rules.
-
There is no security group rule for the ICMP protocol. Please add the following inbound security group rule. For specific operations, see Adding Security Group Rules.
Authorization Policy Select Allow, PriorityLeave the default, Protocol typeSelectAll ICMP (IPv4), Port range is
-1/-1 code>, Authorization object: It is recommended to only allow access to specific IPs. -
There are security group rules for the ICMP protocol. Please check the ECS instance firewall configuration.
-
Check ECS instance firewall configuration
Please select the corresponding check method based on the ECS instance operating system.
Check Linux system kernel parameters and firewall configuration
Check Windows Firewall Configuration
Whether the Linux system allows ping is determined by the kernel parameter icmp_echo_ignore_all and the firewall settings. If either is prohibited, pinging will not be possible.
Check Linux system kernel parameters
-
Use VNC to remotely connect to the ECS instance.
For specific operations, see Using VNC to log in to an instance.
-
Execute the following command to view the value of the kernel parameter
icmp_echo_ignore_all.cat /proc/sys/net/ipv4/icmp_echo_ignore_all
-
If the result is 0, it means that all ICMP requests are allowed. Please check the Linux firewall configuration.
-
If the return result is 1, it means that all ICMP requests are prohibited, please go to step 3.
-
-
Execute the following command and modify the kernel parameter
icmp_echo_ignore_allto 0 to allow all ICMP requests.-
Temporarily allowed
echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all
-
Permanently allowed
echo net.ipv4.icmp_echo_ignore_all=0 >> /etc/sysctl.conf sysctl -p
-
Check Linux firewall configuration
-
Use VNC to remotely connect to the ECS instance.
For specific operations, see Using VNC to log in to an instance.
-
Execute the following command to view the firewall rules.
iptables -L
-
If the following results are returned, it means that the ICMP corresponding rules are not prohibited. Please check the ECS instance CPU usage or bandwidth usage.
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-request Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-reque
-
If the result returned is that the corresponding ICMP rule is disabled, please execute the following command to enable the corresponding rule.
#Chain INPUT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #Chain OUTPUT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
-
Check ECS instance CPU usage or bandwidth usage
Check the usage of resources related to the external network, such as the public network bandwidth usage reaching 100%, etc.
-
In the burst performance instance performance constraint mode, when the CPU usage reaches 100%, ping may fail or ping packets may be lost. For details, see Overview of Burst Performance Instances.
-
When the EIP or fixed public IP resource is full, the ping operation may be discarded by the rate limit and the ping cannot succeed.
Check for the presence of black holes
Please check whether you have received a black hole notification. During the black hole, you cannot connect remotely or ping the ECS instance.
For more information, see Alibaba Cloud Black Hole Strategy.
Check whether there are security alerts in the Cloud Security Center
Please check the Cloud Security Center for any abnormal security alarm notifications. Malicious intrusion may also cause the ECS instance to fail to ping. For more information, see What is Cloud Security Center.
Check whether your instance is a Hong Kong or overseas instance
When an ECS instance in mainland China accesses an ECS instance in Hong Kong, China or overseas, the link quality may be affected by the operator's line. It is recommended to try again after a while.
Check whether a certain client environment cannot ping
If only a certain client environment cannot ping, other client environments can ping successfully. It is recommended to conduct link testing on the client and ECS instance. For specific operations, see Link Test Methods When Packets Are Lost or Unreachable Using the Ping Command.
Check whether the domain name is registered or domain name resolution configuration
If you can ping the public IP but cannot ping the domain name, it may be that the domain name is not registered or the domain name resolution is abnormal.
According to the requirements of the Ministry of Industry and Information Technology, domain name resolution to servers in mainland China must first complete website registration before normal website access can be opened. Therefore, websites are not allowed to be accessed before obtaining a registration number, that is, websites that have not been successfully registered cannot open web services to the outside world, otherwise they will be identified by the Alibaba Cloud monitoring system and the website services will be blocked.
-
If the domain name has not been registered, please register it first. For more information, see What Is ICP Filing?
-
If the domain name has been registered, please check whether the domain name resolution is invalid. For more information, see Test Methods for Resolution Effectiveness and Troubleshooting Ideas for Domain Name Resolution Not Effective.