You may fail to ping Elastic Compute Service (ECS) instances for a variety of reasons. This topic describes how to troubleshoot the issue.
Problem description
You cannot ping the public IP address of an ECS instance from an on-premises client. Examples:
You use an on-premises Linux client to ping the public IP address of an ECS instance, and no response is returned, as shown in the following figure.
You use an on-premises Windows client to ping the public IP address of an ECS instance, and the Request timed out error is returned, as shown in the following figure.
Causes
Provided that your network connectivity is good and you can access or ping other websites, you may fail to ping the public IP address of the ECS instance for the causes that are described in the following table.
Cause | Solution |
The ECS instance is not in the Running state. | |
The security groups of the ECS instance do not contain rules that allow access from the client. | |
The firewall settings of the ECS instance do not allow access from the client. | |
The CPU utilization or bandwidth utilization of the ECS instance is high. | Check the CPU utilization or bandwidth utilization of the ECS instance. |
Blackhole filtering is triggered for the ECS instance. | Check whether blackhole filtering is triggered for the ECS instance. |
The ECS instance is intruded. | Check whether security alerts are generated in Security Center for the instance. |
The ECS instance is deployed in the China (Hong Kong) region or a region outside China. | Check whether the ECS instance is deployed in the China (Hong Kong) region or a region outside China. |
The ECS instance is unreachable from the client. | Check whether the ECS instance is unreachable from only the client. |
The domain name is not Internet Content Provider (ICP) filed or cannot be resolved. | Check whether the domain name is ICP filed and the resolution settings of the domain name. |
Check the status of the ECS instance
An instance can provide external services only if the instance is in the Running state. Perform the following operations to check the status of the ECS instance:
Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the upper-left corner of the top navigation bar, select the region in which the instance resides.
On the Instances page, find the instance and check the status of the instance.
If the instance is not in the Running state, resolve the issue based on the instance state. For more information, see Instance lifecycle.
If the instance is in the Running state, proceed to the operations that are described in the Check the security group rules of the ECS instance section of this topic.
Check the security group rules of the ECS instance
By default, the security groups of an ECS instance contain a rule that allows Internet Control Message Protocol (ICMP) traffic to the instance. If the rule is deleted, the instance cannot be pinged. Perform the following operations to check the security group rules of the ECS instance:
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Instances page, find the instance and click the instance ID.
On the Instance Details page, click the Security Group tab.
On the Security Groups tab, find a security group and click the security group ID.
On the Security Group Rules page, check whether an inbound rule that allows ICMP traffic exists.
If no inbound rules that allow ICMP traffic exist, add such a rule. For more information, see Add a security group rule.
Set Authorization policy to Allow, Protocol Type to All ICMP (IPv4), and Port Range to
-1/1. Use the default Priority value and specify specific IP addresses in the Authorization Object field.If a rule that allows ICMP traffic exists, proceed to the operations that are described in the Check the firewall settings of the ECS instance section of this topic.
Check the firewall settings of the ECS instance
Check the firewall settings of the ECS instance based on the operating system of the instance.
Check the kernel parameter and firewall settings of the Linux ECS instance
To ping a Linux ECS instance, the instance must have the icmp_echo_ignore_all kernel parameter set to 0 and firewall settings that allow ICMP traffic.
Check the kernel parameter of the Linux ECS instance
Connect to the ECS instance by using Virtual Network Computing (VNC).
For more information, see Connect to an instance by using VNC.
Run the following command to check the value of the
icmp_echo_ignore_allkernel parameter:cat /proc/sys/net/ipv4/icmp_echo_ignore_allIf a value of 0 is returned, all ICMP traffic is allowed on the instance. Proceed to the operations that are described in the Check the firewall settings of the Linux ECS instance section of this topic.
If a value of 1 is returned, all ICMP traffic is denied on the instance. Proceed to Step 3.
Run one of the following commands to set
icmp_echo_ignore_allto 0 to allow all ICMP traffic on the instance:Run the following command to temporarily allow all ICMP traffic on the instance:
echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_allRun the following command to permanently allow all ICMP traffic on the instance:
echo net.ipv4.icmp_echo_ignore_all=0 >> /etc/sysctl.conf sysctl -p
Check the firewall settings of the Linux ECS instance
Connect to the ECS instance by using VNC.
For more information, see Connect to an instance by using VNC.
Run the following command to check the firewall settings of the instance:
iptables -LIf the following command output is returned, ICMP traffic is allowed on the instance. Proceed to the operations that are described in the Check the CPU utilization or bandwidth utilization of the ECS instance section of this topic.
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-request Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-requeIf ICMP traffic is denied on the instance, run the following command to allow ICMP traffic:
#Chain INPUT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #Chain OUTPUT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
Check the firewall settings of the Windows ECS instance
In this example, the ECS instance that runs Windows Server 2012 is used. Operations for instances that run other Windows Server versions are similar.
Connect to the ECS instance by using VNC.
For more information, see Connect to an instance by using VNC.
Click the
icon to open Server Manager. In the upper-right corner, choose Tools > Windows Defender Firewall with Advanced Security.
On the Windows Defender Firewall with Advanced Security page, check whether ICMP traffic is denied in the Inbound Rules and Outbound Rules sections.
If ICMP traffic is denied as shown in the following figure, allow ICMP traffic.
If ICMP traffic is allowed, proceed to the operations that are described in the Check the CPU utilization or bandwidth utilization of the ECS instance section of this topic.
Check the CPU utilization or bandwidth utilization of the ECS instance
Check the external resource usage of the instance. For example, check whether the public bandwidth utilization of the instance reaches 100%.
If the instance is a burstable instance that runs in standard mode, the instance cannot be pinged or packets may be lost during the pinging process when the CPU utilization of the instance reaches 100%. For more information, see Overview.
If the EIP or public IP address resources of the instance are occupied, the ping request to the instance may be dropped due to throttling. As a result, the instance cannot be pinged.
Check whether blackhole filtering is triggered for the ECS instance
Check whether you received a blackhole filtering notification for the instance. During blackhole filtering, the instance cannot be connected or pinged.
For more information, see Blackhole filtering policy of Alibaba Cloud.
Check whether security alerts are generated in Security Center for the instance
Check whether security alerts are generated in Security Center for the instance. Intrusions can also cause ping failures. For more information, see What is Security Center?
Check whether the ECS instance is deployed in the China (Hong Kong) region or a region outside China
If you use an ECS instance that is deployed in the Chinese mainland to access an ECS instance that is deployed in the China (Hong Kong) region or a region outside China, the quality of the link may be affected by Internet service provider (ISP) lines. We recommend that you try again later.
Check whether the ECS instance is unreachable from only the client
If you cannot ping the ECS instance from the client but can ping the instance from other clients, we recommend that you test the connectivity between the instance and the client. For more information, see Test network paths when packet loss or connection failures occur after the ping command is run.
Check whether the domain name is ICP filed and the resolution settings of the domain name
If the public IP address of the ECS instance can be pinged but the domain name cannot, the domain name may not have an ICP filing or cannot be resolved.
Domain names that are resolved to the IP addresses of servers deployed in the Chinese mainland must be ICP filed with the Ministry of Industry and Information Technology (MIIT) before the domain names can be accessed. If the domain name of a website does not have an ICP filing, the website cannot provide external services. If Alibaba Cloud detects that a website provides external services without an ICP filing, Alibaba Cloud blocks the website.
If the domain name of the website does not have an ICP filing, complete the ICP filing first. For more information, see What is an ICP filing?
If the domain name of the website is ICP filed, check whether the domain name can be resolved. For more information, see Check whether the DNS records take effect.