Promo Center

50% off for new user

Direct Mail-46% off

Learn More

What do I do if a client can ping an instance but cannot ping a port of the instance?

Updated at: 2025-02-11 11:15

This topic describes how to troubleshoot the issue that a client can ping an Elastic Compute Service (ECS) instance but cannot ping a port of the instance.

Procedure

If you can use a client to ping an ECS instance but not a service port of the instance, access to the port may be blocked by specific nodes in the client-instance network path. Perform the following steps to troubleshoot the issue:

  1. Step 1: Check the security rules of the instance

  2. Step 2: Check the listening status of the port and related services

  3. Step 3: Check the firewall settings of the instance

  4. Step 4: Use a probing tool

Step 1: Check the security rules of the instance

If the port of the instance is unavailable, the port, such as port 80, may not be opened in security group rules of the instance. Perform the following operations to check the security group rules:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. On the instance list page, find the instance whose security group rules you want to check and click the instance ID.

  5. On the instance details page, click the Security Groups tab.

  6. On the Security Groups tab, find the security group whose rules you want to check and click the security group ID.

  7. On the security group rules page, check whether the port, such as port 80, is opened in the inbound security group rules.

    2023-06-04_16-56-00..png

Step 2: Check the listening status of the port and related services

If the port of the instance is unavailable, the port may not be listened on and the listening service may not be started. Perform the following operations to check the security group rules of the instance.

Linux instance
Windows instance

In this example, an instance that runs CentOS 7.9 is used. The operations may vary based on the Linux version.

  1. Connect to the Linux instance.

    For more information, see Use Workbench to connect to a Linux instance over SSH.

  2. Run the following command to check whether the port is listened on:

    netstat -an | grep [$Port]    # Replace <Port> in [$Port] with the actual port number.

In this example, an instance that runs Windows Server 2012 is used. Operations for instances that run other Windows Server versions are similar.

  1. Connect to the Windows instance.

    For more information, see Use Workbench to connect to a Windows instance over RDP.

  2. Run the following command in Windows PowerShell to check whether the port is listened on:

    netstat -ano | findstr "[$Port]"   # Replace <Port> in [$Port] with the actual port number.

Step 3: Check the firewall settings of the instance

If the port of the instance is unavailable, access to the port may be blocked by the firewall of the instance. Perform the following operations to check the firewall settings of the instance.

Linux instance
Windows instance

In this example, an instance that runs CentOS 7.9 is used. The operations may vary based on the Linux version.

  1. Connect to the Linux instance.

    For more information, see Use Workbench to connect to a Linux instance over SSH.

  2. Run the following command to check the firewall status:

    systemctl status firewalld
    • If the Active: inactive (dead) message is displayed in the command output, the firewall is disabled. In this case, no additional operation is required.

    • If the Active: active (running) message is displayed in the command output, the firewall is enabled. Proceed to Step 3.

  3. Run the following command to view the ports that are opened by the firewall:

    firewall-cmd --list-all
    • If the ports: 80/tcp message is displayed in the command output, port 80 is opened. In this case, no additional operation is required.

      2023-06-04_19-33-53..png

    • If the ports: 80/tcp message is not displayed in the command output, run the following command to open port 80:

      firewall-cmd --zone=public --add-port=80/tcp --permanent

      If success is returned, port 80 is opened.

In this example, an instance that runs Windows Server 2012 is used. Operations for instances that run other Windows Server versions are similar.

  1. Connect to the Windows instance.

    For more information, see Use Workbench to connect to a Windows instance over RDP.

  2. In the lower-left corner of the desktop, click the 服务器管理..png icon to start Server Manager.

  3. In the upper-right corner, choose Tools > Windows Defender Firewall with Advanced Security.

    2023-05-28_20-21-16..png

  4. Check the status of the firewall.

    1. If the firewall is disabled, no additional operation is required.

      2023-06-04_18-49-00..png

    2. If the firewall is enabled, perform the following operations:

      1. In the Windows Defender Firewall with Advanced Security window, click Inbound Rules.

      2. Check the status of Windows Remote Management - Compatibility Mode (HTTP-In).

        • If the inbound rule for Windows Remote Management - Compatibility Mode (HTTP-In) is enabled, no additional operation is required.

        • If the inbound rule for Windows Remote Management - Compatibility Mode (HTTP-In) is disabled, right-click Windows Remote Management - Compatibility Mode (HTTP-In) and then select Enable Rule.

          2023-06-04_18-58-43..png

Step 4: Use a probing tool

The port of the instance may be unavailable because access to the port is blocked by specific nodes in the network path. Use a probing tool to check whether such a node exists.

Use a probing tool to check port availability

Linux client
Windows client

In most cases, you can use traceroute to check port availability in Linux. Traceroute is a network diagnostic tool that is used to trace the route taken by a packet, such as a TCP packet, on an IP network from source to destination. Traceroute checks the network connectivity of all nodes it pings along the path.

Install traceroute

sudo yum install -y traceroute

Traceroute command

Sample traceroute command syntax:

traceroute [-n] -T -p <Destination port number> <Host>
    Note
    • -n: uses IP addresses instead of hostnames to prevent reverse Domain Name System (DNS) lookups.

    • -T: uses TCP packets for probing.

    • -p: specifies the number of the port for probing.

    • <Destination port number>: specifies the number of the port for probing. Example: 80.

    • <Host>: specifies the IP address of the destination server. Example: 192.168.XXX.XXX.

Sample test

Sample traceroute command and output:

[test@centos~]# traceroute -n -T -p 22 223.5.XXX.XXX
traceroute to 223.5.XXX.XXX (223.5.XXX.XXX), 30 hops max, 60 byte packets
 1 5X.X.X.X 0.431 ms 0.538 ms 0.702 ms
 2 10.88.XXX.XXX 0.997 ms 1.030 ms 10.88.XXX.XXX 1.309 ms
 3 58.96.XXX.XXX 0.393 ms 0.390 ms 58.96.XXX.XXX 0.423 ms
 4 202.123.XXX.XXX 1.110 ms 202.123.XXX.XXX 0.440 ms 0.440 ms
 5 63.218.XXX.XXX 1.744 ms 63.218.XXX.XXX 1.076 ms 1.232 ms
 6 63.223.XXX.XXX 1.832 ms 63.223.XXX.XXX 1.663 ms 63.223.XXX.XXX 1.616 ms
 7 63.223.XXX.XXX 2.776 ms 63.223.XXX.XXX 1.585 ms 1.606 ms
 8 * * 202.97.XXX.XXX 2.537 ms
 9 202.97.XXX.XXX 6.856 ms * *
10 * * *
11 * * *
12 * * 119.147.XXX.XXX 8.738 ms
13 119.147.XXX.XXX 8.248 ms 8.231 ms *
14 * 42.120.XXX.XXX 32.305 ms 42.120.XXX.XXX 29.877 ms
15 42.120.XXX.XXX 11.950 ms 42.120.XXX.XXX 23.853 ms 42.120.XXX.XXX 29.831 ms
16 42.120.XXX.XXX 11.007 ms 42.120.XXX.XXX 13.615 ms 42.120.XXX.XXX 11.956 ms
17 42.120.XXX.XXX 21.578 ms 42.120.XXX.XXX 13.236 ms *
18 * * 223.5.XXX.XXX 12.070 ms !X

In Windows, you can use tracetcp to check port availability. Similar to traceroute, tracetcp also sends TCP packets to check the network path and analyze whether in-between nodes blocked access to the destination port.

Install tracetcp

  1. Download and install the WinPcap library from the WinPcap official website.

  2. Download the tracetcp package from the tracetcp official website.

  3. Decompress the downloaded tracetcp package to the C:\Windows directory.

    Important

    If you decompress the package to a non-system directory, modify system environment variables to ensure that the command can be directly run.

Procedure

Enter the tracetcp command in Windows PowerShell or Command Prompt. Sample tracetcp command syntax:

tracetcp <IP>:<Port>
    Note
    • <IP>: specifies the IP address or domain name of the destination server.

    • <Port>: specifies the destination port for probing.

    For information about more tracetcp parameters, run the tracetcp -? command to view the help.

Sample test

Sample tracetcp command and output:

C:\ >tracetcp www.aliyun.com:80
Tracing route to 140.205.XX.8 on port 80
Over a maximum of 30 hops.
1 3 ms 4 ms 3 ms 10.102.XXX.XXX
2 13 ms 3 ms 4 ms 10.102.XXX.XXX
3 3 ms 3 ms 2 ms 140.205.XXX.XXX
4 4 ms 3 ms 3 ms 180.163.XXX.XXX
5 5 ms 4 ms 7 ms 101.95.XXX.XXX
6 6 ms 5 ms 7 ms 124.74.XXX.XXX
7 8 ms 8 ms 8 ms 124.74.XXX.XXX
8 10 ms 10 ms 8 ms 114.80.XXX.XXX
9 9 ms 9 ms 11 ms 42.120.XXX.XXX
10 * * * Request timed out.
11 Destination Reached in 8 ms. Connection established to 140.205.XXX.XXX
Trace Complete.

Case analysis of probing results

If access to a port is blocked at a specific hop, no results are returned for all subsequent hops. The node in the hop is considered to be abnormal. Search for the network carrier of the node by using an IP search website, such as IP Search, and report the issue to the network carrier.

Example 1:

Probing result: No results are returned for the port at the 3rd and subsequent hops. Access to the port is blocked by the node in the 3rd hop.

Result analysis: The node uses a private IP address. Security policy settings of the local network caused this issue. Contact the local network management department for further analysis.

C:\> tracetcp www.aliyun.com:135
Tracing route to 115.102.XXX.XXX on port 135
Over a maximum of 30 hops.
1       3 ms    3 ms    3 ms    10.102.XXX.XXX
2       4 ms    3 ms    3 ms    10.102.XXX.XXX
3       3 ms    3 ms    3 ms    140.205.XXX.XXX
4       *       *       *       Request timed out.
5       *       *       *       Request timed out.
6       *       *       *       Request timed out.
7       *       *       *       Request timed out.
8       *       *       *       Request timed out.
9       *       *       *       Request timed out.
10      *       *       *       Request timed out.
11      *       *       *       Request timed out.
12      *       *       *       Request timed out.
Trace Complete.

Example 2:

Probing result: No results are returned for the port at the 11th and subsequent hops. Access to the port is blocked by the node in the 11th hop.

Result analysis: The node uses the network service that is provided by China Mobile Group Beijing Co. Ltd. Report the issue to this carrier.

[root@mycentos ~]# traceroute -T -p 135 www.baidu.com
traceroute to www.baidu.com (111.13.XXX.XXX), 30 hops max, 60 byte packets
 1  * * *
 2  111.13.XXX.XXX (111.13.XXX.XXX)  4.115 ms  4.397 ms  4.679 ms
 3  112.15.XXX.XXX (112.15.XXX.XXX)  901.921 ms  902.762 ms  902.338 ms
 4  200.35.XXX.XXX (200.35.XXX.XXX)  2.187 ms  1.392 ms  2.266 ms
 5  * * *
 6  58.200.XXX.XXX (58.200X.XXX.XXX)  1.688 ms  1.465 ms  1.475 ms
 7  63.128.XXX.XXX (63.128.XXX.XXX)  27.729 ms  27.708 ms  27.636 ms
 8  * * *
 9  * * *
10  200.38.XXX.XXX (200.38.XXX.XXX)  28.922 ms 200.38.XXX.XXX (200.38.XXX.XXX)   29.030 ms  28.916 ms
11  204.35.XXX.XXX (204.35.XXX.XXX)  29.169 ms  28.893 ms 204.35.XXX.XXX (204.35.XXX.XXX)  30.986 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *

  • On this page (1, T)
  • Procedure
  • Step 1: Check the security rules of the instance
  • Step 2: Check the listening status of the port and related services
  • Step 3: Check the firewall settings of the instance
  • Step 4: Use a probing tool
  • Use a probing tool to check port availability
  • Case analysis of probing results
Feedback
phone Contact Us