What do I do if I cannot connect to a Linux instance?

This topic describes how to troubleshoot the issue that you cannot connect to a Linux Elastic Compute Service (ECS) instance.

Important

Emergency connection to a Linux instance: If you need to perform O&M operations on a Linux instance at the earliest opportunity, you can connect to the instance by using Virtual Network Computing (VNC). For more information, see Connect to an instance by using VNC.

Causes

An SSH connection failure may be caused by various factors, such as the Pluggable Authentication Module (PAM) framework, security group settings, and SSH configurations. The following scenarios may occur when you cannot connect to a Linux instance. To troubleshoot the issue, perform operations based on the scenario.

No error message is returned.
An error message is returned.

No error message is returned

Use the troubleshooting tool to identify the issue

Use the troubleshooting tool to identify the preceding issue on your Linux instance, and then follow the on-screen instructions to resolve the issue. Perform the following steps:

Log on to the ECS console.
In the left-side navigation pane, click Troubleshooting.
In the top navigation bar, select the region and resource group to which the resource belongs.

On the Instance Troubleshooting page, click Instance Connection Errors or Startup Exceptions and follow the on-screen instructions to configure the troubleshooting parameters.

The following table describes the issues that you can troubleshoot.

Issue	Description

Issue	Description
Instance Connection Failure over the Internal Network by Using Workbench	(Recommended) Troubleshoot the issue that you cannot use the private IP address of an instance to connect to the instance by using Workbench.
Instance Connection Failure over the Internet by Using Workbench	(Recommended) Troubleshoot the issue that you cannot use the public IP address of an instance to connect to the instance by using Workbench.
Instance Connection Failure over SSH	(Recommended) Troubleshoot the issue that you cannot connect to an instance by using a third-party SSH client.
Instance Connection Error	Troubleshoot the issue that you cannot connect to an instance.

The following table describes the information about the instance that you want to troubleshoot.

If you select Instance Connection Failure over the Internal Network by Using Workbench, Instance Connection Failure over the Internet by Using Workbench, or Instance Connection Failure over SSH, configure the parameters described in the following table.

Parameter	Description	Example

Parameter	Description	Example
VPC	Select the virtual private cloud (VPC) in which the instance resides.	vpc-bp1******
Source	Specify the IP address of the host from which you want to initiate an SSH connection. Note If you select Instance Connection Failure over the Internal Network by Using Workbench or Instance Connection Failure over the Internet by Using Workbench, the source IP address is automatically populated without the need for manual configuration. If you select Instance Connection Failure over SSH, enter the public IP address of your on-premises computer. You can obtain the public IP address of your on-premises computer from `https://cip.cc/`.	47.*..**
Destination	Select the instance to which you want to connect for troubleshooting.	i-******
Destination Port	Select the SSH port on the instance to which you want to connect. Default value: 22.	22

Click Start and wait for the diagnostic results. After the diagnostic is complete, resolve the issue based on the diagnostic results.

Manually troubleshoot the issue

If you do not receive an error message when you fail to connect to a Linux instance, perform the following steps to troubleshoot the issue:

Step 1: Use Alibaba Cloud Workbench to connect to the instance

Use Workbench to connect to the instance. If you cannot connect to the instance by using Workbench, Workbench returns an error message and the corresponding solution. Perform the following steps:

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Instance page, find the Linux instance to which you want to connect and click Connect in the Actions column.
In the Remote connection dialog box, click Sign in now in the Workbench section.
Check whether you can connect to the instance.
In the Instance Login dialog box, the basic information about the instance is automatically populated by Workbench. Make sure that the basic information is correct. Then, enter a username and authentication information for the instance. Perform actions based on whether you can use Workbench to connect to the instance. For information about how to connect to a Linux instance by using Workbench, see Use Workbench to connect to a Linux instance over SSH.
- If you cannot use Workbench to connect to the instance, Workbench returns an error message and the corresponding solution. Resolve the issue based on the error message and the solution. After you troubleshoot the issue, use Workbench to connect to the instance. For information about the causes of and solutions to issues that may occur when you connect to instances by using Workbench, see VNC connection issues.
- If you can use Workbench to connect to the instance, SSH works as expected on the instance. In this case, proceed to Step 2: Check network connectivity.

Step 2: Check network connectivity

If you cannot connect to a Linux instance, check the network connectivity of the instance.

Use computers from different CIDR blocks or different operators to connect to the instance over other networks and check whether the issue is related to the on-premises network or the server side.
- If the issue is related to your on-premises network or your carrier, contact your on-premises IT personnel or your operator.
- If an exception occurs on a network interface (NIC) driver, re-install the driver.
Run the ping command on your on-premises client to test the network connectivity of the instance.
- If a network exception occurs, capture packets to analyze the cause of the exception. For more information, see How do I capture data packets when a network exception occurs?
- If the ping packet is dropped or the instance cannot be pinged, use the tracert or My Traceroute (MTR) tool to test the network path and identify the cause of the issue. For more information, see Use MTR to analyze network paths.
- If intermittent packet loss occurs, the network connectivity of the instance is unstable and the instance may be infected by viruses. For information about how to troubleshoot the issue, see Use the ping command to test intermittent packet loss of the IP address of an ECS instance.
- If ping is enabled in the kernel of the instance but you cannot ping the instance from your on-premises client, the firewall on the instance may be configured to deny traffic from the client.
  For information about how to troubleshoot the issue, see Solution to Linux ECS instances that allow ping but cannot be pinged.

Step 3: Check the ports and security groups of the instance

Check whether the required connection ports are open in the security groups of the instance.

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Instance page, click the ID of the instance.
Click the Security Groups tab, find a security group, and then click Manage Rules in the Operation column.
In the Access Rule section, use one of the following methods to add an inbound security group rule. For more information, see Add a security group rule.
- Method 1: Use the Quick Add feature to add a security group rule
  - Action: Allow.
  - Port Range: SSH (22).
  - Authorization Object: the IP address of your on-premises computer. You can obtain the IP address of your on-premises computer from https://cip.cc/.
- Method 2: Manually add a security group rule
  - Action: Allow.
  - Priority: 1, which specifies the highest priority. A smaller number specifies a higher priority.
  - Protocol Type: Custom TCP.
  - Port Range: SSH (22).
  - Authorization Object: the IP address of your on-premises computer. You can obtain the IP address of your on-premises computer from https://cip.cc/.
Run the following command to check whether the SSH port is open on the instance:
```
telnet [$IP] [$Port]
```
Note
- [$IP] specifies the IP address of the instance.
- [$Port] specifies the SSH port number of the instance.
Sample command: telnet 192.168.0.1 22. The following command output indicates that the SSH port is open on the instance:
```
Trying 192.168.0.1 ...
Connected to 192.168.0.1.
Escape character is '^]'
```
If the SSH port is closed on the instance, troubleshoot the issue as described in What do I do if I cannot ping the public IP address of an ECS instance?

Step 4: Check the CPU load, bandwidth utilization, and memory usage of the instance

If you cannot connect to a Linux instance, the instance may have high CPU load, insufficient public bandwidth, or insufficient memory.

Check the CPU load on the instance and perform operations based on the check result.
- If the CPU load is high, upgrade the instance type.
  If the applications that are hosted on the instance perform large numbers of read/write operations on disks, initiate large numbers of network requests, or generate compute-intensive workloads, the CPU load on the instance becomes high. In this case, we recommend that you upgrade the instance type to resolve resource bottleneck issues. For more information, see Overview of instance configuration changes.
  Note
  For information about how to resolve the high-CPU-load issue, see Troubleshoot and resolve high CPU utilization or high CPU load issues on Linux ECS instances.
- If the CPU load is not high, proceed to the next step.
Troubleshoot an insufficient public bandwidth issue.
If you cannot connect to a Linux instance, the instance may have insufficient public bandwidth. To troubleshoot the issue, perform the following steps:
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Instances & Images > Instances.
3. In the top navigation bar, select the region and resource group to which the resource belongs.
4. On the Instance page, click the ID of the instance. In the Configuration Information section, view the value of the Internet Bandwidth parameter.
  If the value is 0 Mbps, the instance has no public bandwidth. To allocate public bandwidth to the instance, upgrade the public bandwidth configurations. For more information, see the Modify the maximum public bandwidth section of the "Overview of instance configuration changes" topic.
Troubleshoot an insufficient memory issue.
If the desktop is not displayed as expected for the Linux instance and the instance exits without an error message after you connect to the instance, the instance may have insufficient memory. In this case, check the memory usage of the instance. Perform the following steps:
1. Connect to the instance by using VNC.
  For more information, see Connect to an instance by using VNC.
2. Check the memory usage. If the instance memory is insufficient, we recommend that you upgrade the instance to an instance type that has a larger memory size. For more information, see Overview of instance configuration changes.

An error message is returned

In most cases, an error message is returned when you cannot connect to an instance. You can identify and resolve the issue based on the error message.

PAM framework

The PAM framework in Linux can load the required security modules and implement access control policies, such as account policies and logon policies. If the configurations are invalid or relevant policies are triggered, SSH logon may fail. If SSH logon fails, troubleshoot the issue based on the returned error message. For more information, see the following topics:

System environment of the Linux instance

Exceptions, such as virus infection, invalid account configurations, and invalid environment configurations, in the system environment of a Linux instance may also cause SSH logon to fail. If SSH logon fails, troubleshoot the issue based on the returned error message. For more information, see the following topics:

SSH service and parameter settings

The default configuration file of the SSH service is /etc/ssh/sshd_config. If the parameter settings in the configuration file are invalid or relevant features or policies are enabled in the configuration file, SSH logon may fail. If SSH logon fails, troubleshoot the issue based on the returned error message. For more information, see the following topics:

SSH service-related directories or files

The SSH service checks the permission configurations and groups of relevant directories or files at runtime to ensure security. Improper permissions for the directories or files may cause the failure of the SSH service to run as expected and result in logon failures from clients. If SSH logon fails, troubleshoot the issue based on the returned error message. For more information, see the following topics:

SSH key configurations

SSH uses asymmetric encryption to encrypt data. The client and the server exchange and validate keys for message integrity and encryption. If SSH logon fails, troubleshoot the issue based on the returned error message. For more information, see the following topic:

What do I do if the "Host key verification failed" error message appears when I connect to a Linux ECS instance by using SSH?